August 10, 2022

COSFONE

Networking, PBX, IT, DIY Solution

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers

4 min read

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers



 

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers.

It was reported on Tuesday that an incredibly sophisticated hacking group spent nearly two years infecting various routers in North America and Europe with malware that took full control of the operation of Windows, macOS and Linux internet-connected devices.

Researchers at Black Lotus Labs, part of Lumen Technologies, said it has identified at least 80 targets infected with stealth malware, involving router models from brands including Cisco, Netgear, Asus, and GrayTek.

 

Figure 1 – Overview of ZuoRAT activities (source: Black Lotus Labs )

 

Security researchers point out that the man behind the ZuoRAT attack on routers may have a deep and sophisticated background.

As part of a broader hacking campaign, the remote access trojan has been active since at least the fourth quarter of 2020.

 

Seeing custom malware written specifically for the MIPS architecture, this discovery is a security wake-up call for countless small and home office (SOHO) router users.

 

Figure 2 – Default login page hosted on Command & Control server

 

Although rarely reported, by using routers to hide their intent, the malware can not only enumerate all devices connected to an infected router, but also collect DNS queries and network traffic it sends and receives.

Man-in-the-middle attacks involving both DNS and HTTP hijacking are also fairly rare, further suggesting that ZuoRAT has a fairly high level of sophisticated threat actors behind it.

 

Figure 3 – Illustration of Communication Springboard

 

Black Lotus picked up at least four suspects during this malware campaign, and three of them appeared to be crafted from scratch.

The first is the MIPS-based ZuoRAT, which is very similar to the Mirai IoT malware and has been implicated in record-breaking distributed denial-of-service (DDoS) attacks, but it is often deployed using unpatched SOHO device vulnerabilities.

 

Figure 4 – Global distribution of ZuoRAT malware

 

 

Once installed, ZuoRAT will enumerate devices connected to the infected router.

Threat actors can then use DNS/HTTP hijacking to direct networked devices to install other specially tailored malware — including CBeacon and GoBeacon.

 

The former uses the C++ programming language, mainly for the Windows platform. The latter is written in Go and is primarily aimed at Linux/macOS devices.

 

Figure 5 – The three-no-certificate included with the malware

 

ZuoRAT can also infect connected devices with the plethora of Cobalt Strike hacking tools, and the remote command and control infrastructure is dubiously complicated to conceal its true purpose.

 

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers

Figure 6 – Screenshot of traffic generated by CBeacon in a lab environment

 

During this period, Black Lotus security researchers noticed that the routers and C&C servers from 23 IP addresses established persistent connections, which means that the attackers are performing preliminary investigations to determine whether the target has value for deep attack.

 

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers

Figure 7 – Screenshot of network traffic from the Go proxy

 

 

Fortunately, like most router malware, ZuoRAT cannot survive device reboots (consisting of files stored in a temporary directory).

Additionally, the original ZuoRAT exploit can be removed simply by resetting the infected device.

 

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers

Function calls for the eight pre-built functions included with CBeacon

 

Even so, we recommend that you check for firmware updates for long-term connected devices.

Otherwise, once infected with other malicious software, it is still difficult for terminal device users to completely eliminate it.

 

 

Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers

Figure 8 – Comparison of C2.Heartbeat running on CBeacon / GoBeacon

 

 

For more details on this malware campaign, please also head over to Black Lotus Labs’ GitHub home



Copyright © All rights reserved. | Newsphere by AF themes.