Across North America and Europe, an advanced hacking group has dedicated nearly two years to the pursuit of infecting routers with malware. This particular type of malware can take full control over connected devices running Windows, macOS and Linux, according to security researchers. At present, as many as 80 different targets have been affected by the malware, including routers produced by Netgear and DrayTek.

This router malware

This router malware, dubbed ZuoRAT, is a remote access Trojan believed to be a part of a larger hacking campaign that has been in-progress since late 2020. Because of the way in which this malware code has been written, and on account of its range of capabilities, the malware is considered significant. It can enumerate all devices connected to an infected router and can collect the DNS lookups and network traffic sent and received.

The fact that ZuoRAT remains imperceptible while engaged reflects development by a truly sophisticated hacker.

ZuoRAT technical details

The malware compromises SOHO routers and uses it as a vector to gain access to adjacent LAN. While the technique isn’t new, it’s not reported often. “Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation.

The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” says an anonymous security analyst.

The campaign consists of at least four pieces of malware, three of which appear to have been written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which looks similar to the Mirai Internet of Things malware that achieved record-breaking DDoS attacks, crippling some internet services for days. ZuoRAT is commonly installed through the exploitation of unpatched vulnerabilities in SOHO devices.

After installation, ZuoRAT enumerates the device connected to the jeopardized router. The cyber criminal operator can then leverage DNS hijacking and HTTP hijacking to force connected devices to install other malware.

Further technical insights

Two of such malware pieces, called CBeacon and GoBeacon, appear custom-made. The first was written for Windows in C++. The latter was written in Go for cross-compiling on macOS and Linux systems. To make the software more flexible, hackers programmed it in such a way as to enable it to also infect connected devices with the widely used Cobalt Strike hacking tool.

Purposely complex malware

ZuoRAT’s command and control infrastructure appears to be intentionally complex, as to hide what’s happening. One set of infrastructure controls infected routers. Another is reserved for the connected devices if they fall prey to infection.

Researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe performed an initial survey to assess potential targets. A subset of those 23 routers later interacted with a Taiwan-based proxy server for several months.

Router malware campaign implications

For SOHO routers, this campaign represents the most important malware discovery since that of VPNFilter; a nation-state backed malware. Routers are often overlooked when it comes to security. This fact has become more pronounced in the work-from-home era.

Although organizations commonly maintain strict requirements around what devices are allowed to connect to networks, few mandate patching or other cyber safety measures for routers.

Router malware removal

As with the majority of router malware, ZuoRAT cannot survive a reboot. By restarting an infected router, owners will remove the initial ZuoRAT exploit. To ensure a complete recovery, infected routers should be factory reset. However, connected devices affected cannot be cleaned so easily.

For more information about how to remove malware from your router, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.