An previously unseen remote access Trojan has been dubbed 7 Juwrat Small Office / Home Office (SOHO) routers have been unified as part of a sophisticated campaign targeting North American and European networks.
Researchers at Lumen Black Lotus Labs said in a report shared with The Hacker News that malware “gives actors the ability to pivot on local networks and gain access to additional LAN systems by hijacking network contacts to keep an unknown foot.”
Operation Stealth, targeting routers from ASUS, Cisco, DrayTek and NETGEAR, is thought to have begun in early 2020 in the early months of the Covid-19 epidemic, effectively under radar for more than two years.
“Consumers and remote staff regularly use SOHO routers, but these devices are rarely monitored or patched, making them one of the weakest points in the scope of their network,” the company’s threat intelligence team said.
Scanning for unpatched errors known for loading the remote access tool provides initial access to routers, using it to gain access to the network and dropping a next-stage shellcode loader used to supply cobalt strikes and custom backdoors such as CBeacon and GoBeac. Able to execute orders arbitrarily.
In addition to enabling deep resumes of target networks, traffic collection, and network communication hijacking, the malware has been described as a heavily modified version of the Mirai botnet, the source code of which was leaked in October 2016.
“ZuorAT is a MIPS file compiled for SOHO routers that can compute a host and internal LAN, capture packets transmitted by infected devices, and carry out person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules). Can. ” The researchers said.
Also included is a function to collect TCP connections on ports 21 and 8443, combined with FTP and web browsing, potentially enabling adversaries to keep tabs on users’ Internet activity behind compromised routers.
ZooRAT’s other capabilities allow attackers to monitor DNS and HTTPS traffic by using preset rules aimed at hijacking requests and redirecting victims to malicious domains that are created and stored in temporary directories in an attempt to prevent forensic analysis.
This is not the only step in concealing the activities of hackers, as attacks rely on a vague, multi-stage C2 infrastructure that involves using a virtual private server to exclude early RAT exploitation and exploiting routers that compromise themselves as proxy C2 servers. .
To avoid further detection, the staging server has been seen to host seemingly innocuous content, an example mimicking a website called “muhsinlar.net”. Promotion portal Islamic Party of Turkestan (Tip), A Uyghur extremist group originating from China.
The identity of the aggregate of opponents behind the campaign remains unknown, although an analysis of the patterns suggests the possible use of the Chinese province of Jiancheng and Alibaba’s Yuk and Tencent (C2) for command-and-control.
Black Lotus Labs noted the broad and avoidable nature of the operation, along with the tactics used in the attack to have an undercover point towards potential nation-state activity.
“The capabilities on display in this campaign are – access to SOHO devices of various Macs and models, gathering host and LAN information for targeting, sampling network communication and hijacking and inadvertently taking StealthM2 .Sylled router to router communication – indicates a highly sophisticated actor, “the researchers concluded.
