A shockingly large number of home-based routers are actively being compromised by a sophisticated hacking group who has spent the last two years targeting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux.

Researchers from Lumen Technologies’ Black Lotus Labs say that they have identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus and Dray Tek. Dubbed, ZuoRAT, the remote access trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate with limited slowdown.

What is a RAT?

To understand ZuoRAT, we must first examine, what is a remote access trojan (RAT)? A remote access trojan is a tool used by malware developers to gain full access and remote control on a user’s system, including mouse and keyboard control, file access, and network resource access. Instead of destroying files or stealing data, a RAT gives attackers full control of a desktop or mobile device so that they can silently browse applications and files and bypass common security such as firewalls, intrusion detection systems and authentication controls.

The concept behind a RAT is not new and has been part of standard hacker tradecraft for decades. RATs help hackers develop persistent threats and form a backbone of intelligence gathering operations, which often lead to more advanced attacks against a specific target. RATs are a favored tool of government sponsored hackers. A 2015 incident in Ukraine illustrates the widespread and nefarious nature of RAT programs. Attackers using remote control malware cut power to 80,000 people by remotely accessing a computer authenticated into SCADA (supervisory control and data acquisition) machines that controlled the country’s utility infrastructure. RAT software made it possible for the attacker to access sensitive resources through bypassing the authenticated user’s elevated privileges on the network. These types of programs are actively being used by the Russian government today in the Ukraine.

Having access to critical machines that control city resources and infrastructure is one of the biggest dangers of RAT malware.

ZuoRAT

ZuoRAT utilizes custom-built malware written for MIPS architecture and compiled for small office and home office (SOHO) routers such as those manufactured by Cisco, Netgear, Asus and DrayTek. It has the ability to enumerate all devices connected to an infected router and collect the DNS lookup and network traffic they send and receive all while remaining undetected on the network.

Black Lotus team members note “while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.” “Similarly, reports of person in the middle style attacks, such as DNS and HTTP hijacking, are even rare and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by state-sponsored organization.”

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices. Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces -dubbed CBeacon and GoBeacon – are custom made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

ZuoRAT

ZuoRAT can pivot infections to connected devices using one of two methods:

  • DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
  • HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

Complexity

The command and control infrastructure used in the campaign is intentionally complex in an attempt to conceal what is happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they are later infected.

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker’s infrastructure.

ZuoRAT C&C

Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.

Questions

Several questions arise from this new discovery, namely:

What Can You Do?

Fortunately, (for now), this threat can be mitigated by rebooting your router. Most router malware cannot survive a reboot as nefarious programs reside in active memory of the system. A reboot will remove the initial ZuoRAT exploit. To fully recover however, it is recommended that devices should be factory reset.

Changes are, you have not updated your firmware in many months. Now, would be a good time to do that and if you have any other IoT devices at home or in your office, we recommend applying patches immediately.