A new form of malware was recently discovered which evaded detection due to it’s unusually high level of sophistication. The malware has infected a wide range of routers in the US, and Europe with a form of malware which takes full control of connected devices running Windows, macOS, and Linux.
Lumen Technologies’ Black Lotus Labs have identified several targets infected by the malware already, and performed deeper analysis on how the malware infection works, and how it was hidden so well.
How The Malware Worked
The malware was custom-built and developed specifically for the small office and home office class of routers. Routers developed by Cisco, Netgear, Asus, and DrayTek were found to be targeted the most by the malware dubbed ZuoRAT. The malware acts as a Trojan, and is part of a broader hacking campaign that has existed since 2020.
Once a target router was infected, it had the ability to enumerate all devices connected to it and collect the DNS lookups and network traffic they send and receive while remaining undetected.
The hackers compromised SOHO routers as an access vector to gain further access to adjacent LAN’s. Hackers relied on man-in-the-middle attacks as well, by utilizing DNS and HTTP hijacking.
Altogether the campaign comprises of at least four pieces of malware, three of them written from the ground up by the hacking group themselves. Once a router is infected with ZuoRAT, it enumerates the devices connected. Then the threat actor can use DNS hijacking and HTTP hijacking to cause connected devices to install other malware. ZuoRAT can also pivot infection to connected devices using the HTTP and DNS hijacking methods as well.
Protecting Your IT From Sophisticated Threats
Black Lotus Labs said the command-and-control infrastructure used in this campaign was intentionally complex to conceal what was happening. The hacking group used multiple Virtual Private Servers, various Proxies Servers based in several locations, and two control servers to separate infected devices, and infected routers.
The level of complexity for this malware is suspected to only be capable from nation-state actors. This goes to show that even what would be considered small targets are still not discriminated against by threat actors. Since more workers have been working at home, these SOHO based routers have been increasingly targeted by hacking groups.
Even though this malware is quite complex and sophisticated, it’s still possible to defend from and prevent this form of malware from infecting your network and devices. Like most router-based malware, ZuoRAT can’t survive a reboot. It was also found that the devices which were infected were running older versions of firmware on their routers.
You can protect your team, and your data by enforcing patching and other safeguards be implemented on all devices that make up your network infrastructure. By working with a Managed IT Services provider like Natural Networks, you can implement policies that can ensure networks are secured, locked down, and patched with the latest software all the time.
If you want to learn more about how Natural Networks can help defend your network infrastructure and devices, give us a call today!
