Researchers have discovered an unusually sophisticated malware that has targeted at least 80 routers made by Cisco, Netgear, Asus, and DrayTek. The new malware, named ZuoRAT, has been active since at least Q4 2020.
The malware takes complete control of any Windows, macOS or Linux devices connected to the router and primarily targets North American and European users. Researchers at Black Lotus Labs believe it’s part of a larger hacking campaign that’s still ongoing.
ZuoRAT seems to be custom-built for the MIPS architecture and compiled for small-scale home and office routers and often gets installed by exploiting unpatched SOHO vulnerabilities. It can track all devices connected to the router, list DNS lookups and track all network traffic going through the infected router without being detected.
A broader campaign at work
The researchers have pointed out that at least four parts to the campaign, starting with ZuoRAT. Three of these parts seem to have been written from scratch, displaying a level of sophistication that led researchers to believe that the campaign may be run by a state-sponsored group.
Once a router is infected, ZuoRAT can further infect connected devices using two methods.
- DNS Hijacking: The method replaces valid IP addresses used for DNS in the router with malicious ones used by the hackers.
- HTTP Hijacking: The malware injects itself into the connection between the router and the device generating a 302 error which redirects the user to a malicious website.
These two methods are used to further deploy other malware on infected devices. This malware includes at least two custom-made malware named CBeacon and GoBeacon, as well as the popular Cobalt Strike backdoor.
The command and control infrastructure for the malware is also intentionally complex and divided into two parts. One part is dedicated to controlling infected routers, and the other is reserved for connected devices should they get infected later.
However, as sophisticated as it is, ZuoRAT can’t survive device reboots like most router malware. Restarting the device can eliminate the initial exploit, which is saved as a set of temporary files on the device itself. However, a factory reset is suggested to fully purge the malware infection.