An “unusually advanced hacking group” has spent almost two years infecting a wide range of routers in North America and Europe, according to a report in Ars Technica. The group is using malware that takes full control of connected devices running Windows, macOS, and Linux.
So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 infected targets. The targets include routers from Cisco, Netgear, Asus, and DayTek. The researchers did not specify models. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate to this day.
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect DNS lookups and network traffic while remaining undetected is the hallmark of a highly sophisticated threat actor.
Possibly deployed by state actor
“While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported”, Black Lotus Labs researchers wrote. “Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization.”
The campaign comprises at least four pieces of malware, according to Ars Technica. These include denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.