An unknown team of attacker is using a newly discovered piece of malware to infect a range of SOHO routers, hijack DNS and HTTP traffic, and move laterally through compromised networks. The malware, which looks to be a modified version of the venerable Mirai codebase, is known as ZuoRAT and researchers believe it may be the work of a state-sponsored actor.
The attack campaign so far has targeted devices in Europe and North America from several manufacturers, including ASUS, Netgear, DrayTek, and Cisco, and the command-and-control servers that compromised devices communicate with are located in China. Researchers at Black Lotus Labs discovered the ZuoRAT malware and recovered the exploit script for one specific router, the JCG Q20. That script exploited two known vulnerabilities in the router, but it’s not known how the attackers are gaining access to the other known-exploited routers.
“Both the C2 and host IPs linked to the exploit were also located in China, with potential targeting in Hong Kong. We subsequently discovered a text file uploaded to VirusTotal by the same submitter as the exploit script which lists numerous IP addresses with the designator 'HK,' presumably referencing Hong Kong,” Black Lotus Labs said in an explanation of the attack.
“While the actor modified the proof-of-concept exploit script for the JCG-Q20 router model, the underlying logic remained the same: the script first performed command line injection to obtain authentication material, and then used the output from the command injection to perform an authentication bypass. This chain of vulnerabilities allowed the actor to download a binary, then execute it on the host.”
The Black Lotus Labs researchers first came across ZuoRAT while looking through a malware repository and noticing that it had some similarities to Mirai, the infamous malware that is often used in attacks on IoT devices.
“I saw some abnormal functions that didn’t look like typical Mirai behavior,” said Danny Adamitis, principal security researcher at Black Lotus Labs, the research arm of Lumen.
The exploit script has four main functions, including recovering the router’s password, extracting the sysauth cookie, starting a telnet session, and then removing any previous versions of the ZuoRAT and downloading and installing the latest version. The malware then performs some reconnaissance on the router and the local network, scanning for a list of open ports and then sending the information to the C2 server. Another function enables ZuoRAT to gather information about the DNS and WiFi settings on the router and the IP addresses and MAC addresses for other devices on the network.
“Once the threat actor obtained information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. These functions would look at the DNS requests that were being transmitted through the router and a custom DNS parser, providing statistics on the types of domains being requested by the victim. Other functions allowed the actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule,” the analysis says.
Adamitis said it’s not clear how the attackers are planting the ZuoRAT on other brands of routers, but it’s likely that they are using known flaws.
“We’d have to perform host forensics to figure that out but based on what we saw, it looks like they’re using known vulnerabilities,” he said. “These devices live outside of the normal security perimeter. They hit the home router and then they can get to the corporate network and they can circumvent some of the corporate security measures.”
The number of compromised routers hit by ZuoRAT is difficult to ascertain, but Adamitis said Lumen’s telemetry showed nearly 80 in the last few months.