Black Lotus Labs, a team of researchers from the Lumen company, has discovered a malware that has been affecting hundreds of routers in North America and Europe for at least two years. The Trojan, dubbed ZuoRAT, appears to be able to access connected devices running Windows, Linux, or macOS to “upload and download files, execute commands, and persist on the workstation,” according to the researchers.
The malware, on the other hand, appears to work on routers from brands like Cisco, Netgear, Asus, and DayTek. It also has active from October 2020, taking advantage of the fact that many users telecommute. Lumon describes ZuoRAT as “a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted through the infected device, and perform person-in-the-middle attacks (rule-based DNS and HTTPS hijacking). predefined)”. It also works through different phases until it fulfills its objective: to control the connected devices.
The first phase is malware load. This is installed on SOHO devices, commonly used for workstations in the or to establish connection in small businesses. ZuoRAT, specifically, is installed taking advantage of those vulnerabilities not solved in this type of routers and allows the second phase to be executed.
This consists of listing those connected devices and run a DNS and HTTP hijack, that allow changing the URL address that the user visits for one that redirects to a malicious website or, in the case of HTTP hijacking, obtain all the cookies from the rest of the websites. The goal is for the user to unconsciously download new malware onto her computer.
ZuoRAT, specifically, uses three additional malware designed specifically for different devices. Those called CBeacon (Windows) and GoBeacon (Linux or macOS) and Cobalt Strike, which has a broader implementation. These are the ones in charge of carrying out the last phase. Is about uploading and downloading files, executing commands, etc., from the user’s own device.
This is how you can prevent your router from being infected with ZuoRAT malware
Lumen, on the other hand, comments that malware is very sophisticated and therefore difficult to detect. “The extent to which actors go to great lengths to hide C2 infrastructure cannot be overstated. First, to avoid suspicion, they delivered the initial exploit of a dedicated virtual private server (VPS) hosting benign content. They then leveraged routers as proxy C2s hiding in plain sight via router-to-router communication to further avoid detection. And finally, they rotated the proxy routers periodically to avoid detection,” the company says.
Fortunately, there is a way to remove ZuoRAT from routers. The user simply needs to reboot the device and, to prevent the malware from being loaded again, reset it to factory defaults.