Hackers spy on local networks by relying on unpatched and poorly monitored routers. It is probably a state actor.
Lumen/Black Lotus Labs security researchers have detected a fairly sophisticated hacking campaign targeting home routers or SMB routers since at least 2020, i.e. the start of the Covid crisis. Coincidence or not, hackers have certainly taken advantage of this pandemic, insofar as it has forced employees to telecommute and multiplied the deployments of this type of router. This increased the attack surface.
Hackers proceed in several steps. They first use a script that exploits certain flaws in routers and allows them to install spy software called ZuoRAT. This will analyze the configuration of the device and explore the local network. After a period of observation, the hackers will proceed to an HTTP or DNS request interception, in order to be able to deploy a “loader” on the device.
The mission of this loader will be to download a Trojan horse, in this case Cbeacon, GoBeacon or Cobalt Strike. The first two are homemade, the third is a standard tool. These malware have the ability, among other things, to download or upload files, to execute arbitrary commands and to be persistent on the machine.
Lumen has detected around 80 infected devices so far, from Asus, Cisco, DrayTek or Netgear. But there are probably many more. And it is also not impossible that this actor has been active for years without ever being seen, because the small routers are not very monitored and even less patched. It is difficult at this stage to make an attribution. Admittedly, the malicious codes contain Chinese characters and references to a locality called “sxiancheng”. In addition, some command and control servers were hosted using the services of Alibaba and Tencent. But this is insufficient to give a geographical origin of this campaign.
What seems certain is that it is a state actor, if only for the way in which the command and control (C&C) infrastructure is managed. “First, to avoid suspicion, they pushed the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they operated routers as proxy routers for C&C communications (…) And finally, they periodically rotated proxy routers to avoid detection,” the security researchers write.
Lumen
[related_posts_by_tax taxonomies=”post_tag”]
The post Mysterious malware infects small routers in Europe and the United States appeared first on Gamingsym.