A targeted attack campaign has been compromising home and small-business routers since late 2020 with the goal of hijacking network communications and infecting local computers with stealthy and sophisticated backdoors.
Attacks against home routers are not new, but the implants used by attackers in this case were designed for local network reconnaissance and lateral movement instead of just abusing the router itself.
"The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defence-in-depth protections by targeting the weakest points of the new network perimeter -- devices which are routinely purchased by consumers but rarely monitored or patched -- small office/home office (SOHO) routers," researchers from Black Lotus Labs, the threat intelligence arm of telecommunications company Lumen Technologies said in a recent report.
Malware implant for multiple router makes and models
Lumen estimates that the attack campaign has compromised at least 80 routers and networks and has seen signs of infections coming from routers made by ASUS, Cisco, DrayTek and NETGEAR. However, the company's researchers only managed to recover the exploit script used against a JCG-Q20 router.
"In this case, the actor exploited known CVEs (CVE-2020-26878 and CVE-2020-26879) using a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py," the researchers said. The goal of the script is to gain credentials and load remote-access Trojan malware, which Lumen dubbed “ZuoRAT."
While it's not clear how router models from other manufacturers were compromised, the exploitation of known vulnerabilities, like in the case of the JCG-Q20 model, is a strong possibility. However, the use of zero-day exploits cannot be excluded or other techniques such as credential stuffing that have been observed in other router attacks in the past.
It's also worth noting that the identified exploit script was made to be executed on Windows, which means attackers could use it to attack a router from an already compromised Windows machine on the same network.
Many home routers have a limited attack surface from the internet -- remote access is usually disabled out of the box -- but they continue to expose a lot of services and management interfaces to the local network and these can be a source of vulnerabilities.
Unfortunately, router manufacturers continue to treat local networks as trusted environments when designing devices despite malware infections inside local networks being a common occurrence.
The JCG-Q20 exploit script exploited a command injection flaw to obtain authentication material and then used that information to download and execute a malicious binary on the router. This binary is a malicious attack framework written for MIPS architecture that the Lumen researchers dubbed ZuoRAT.
The malware is a heavily modified variant of Mirai, a botnet-type implant for routers and other IoT devices that originally appeared in 2016 but was later open-sourced and served as basis for many IoT malware variants since then.
While Mirai was originally used to hijack routers for distributed denial-of-service (DDoS) attacks, ZuoRAT's focus is on surveillance and lateral movement inside local networks.
According to the Lumen researchers, when executed, the implant collects information about the router, including its public IP address and performs a memory dump that can reveal credentials, routing tables and IP tables stored in the device's memory.
It then surveys the local LAN for IP addresses that have services running on the following ports: 21, 22, 23, 80, 135, 139, 443, 445, 808, 902, 912, 1723, 2323, 3306, 5222, 5269, 5280, 5357, 8080, 8443 and 9001. All this information is then sent to the command-and-control (C2) server.
The malware contains a series of functions that can be used to perform packet capture on HTTP, TCP, FTP, DNS, SOCKS connections that are routed through the device. This can allow attackers to capture credentials sent in the clear over such connections. Other functions allow attackers to set up DNS hijacking rules, where local computers trying to access legitimate domains are redirected to servers controlled by the attackers.
The researchers found more than 2,500 unique functions in the malware that enable different capabilities that might have been triggered by additional modules downloaded to infected routers as needed by the attackers. These included LAN enumeration, HTTP hijacking, password spraying, USB enumeration, and code injection.
"Black Lotus Labs’ visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against U.S. and Western European organisations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection," the researchers said. "The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated."
To hide their command-and-control servers the attackers routed the traffic from hijacked routers through other compromised routers that served as proxies. The proxy routers were periodically rotated.
Windows malware loader the second stage
The researchers also located a Windows malware loader that shared code similarities to ZuoRAT, such as environment variables, PDB paths and hardcoded MAC addresses. They believe with high confidence that this loader was the next stage in the attack chain and was deployed on computers inside LANs that were targeted via ZuoRAT's DNS or HTTP hijacking capabilities.
The loader masqueraded as a legitimate program and contained a signature with a certificate issued to Chinese company Tencent. Even though the signature wasn't valid, samples signed with the certificate had a lower detection rate on VirusTotal than those that weren't signed.
The loader connects to a hard-coded C2 server to download additional payloads. The researchers identified three implants: a custom RAT written in C that they dubbed CBeacon, a similar RAT written in Go dubbed GoBeacon and Cobalt Strike, a commercial remote access framework that's commonly used by hacker groups. Go is a cross-platform language and runtime so GoBeacon could easily be cross-compiled for macOS or Linux.
CBeacon and GoBeacon provide attackers with the ability to collect information from the device, list files inside local directories, upload files to the C2 server, download files from the C2 server and execute additional shellcode by injecting it into other processes.
The attackers were seen using services by Chinese companies Alibaba and Tencent either to host files (Alibaba’s Yuque platform) or as redirectors for command-and-control (Tencent). A Chinese word has also been found in PDB paths inside the malware, possibly suggesting a Chinese origin for the malware, although this is not strong enough evidence.
"The capabilities demonstrated in this campaign -- gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications -- points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," the researchers concluded.
Security experts have warned from the start of the COVID-19 pandemic that remote employees are easier to target inside their home networks because their work devices don't benefit from the same levels of protection as when they're behind corporate firewalls and routers.
While the adoption and implementation of zero trust network security principles can mitigate some of those risks, many organisations have been forced to do split network tunnelling on their VPN clients to ease the burden on their VPN gateways and available bandwidth.
This means that in many cases, a portion of non-critical or non-work-related traffic from the devices used by their remote employees continues to flow, potentially unencrypted, through those users' home routers.