Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Network Security

A Wide Range of Routers Are Under Attack By New, Unusually Sophisticated Malware (arstechnica.com) 45

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday. From a report: So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate. The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
This discussion has been archived. No new comments can be posted.

A Wide Range of Routers Are Under Attack By New, Unusually Sophisticated Malware

Comments Filter:
  • by devslash0 ( 4203435 ) on Wednesday June 29, 2022 @04:00PM (#62660582)

    "Zuo" is a deliberate misspelling or the Polish word "Evil". Coincidence? ;-)

    • Polish is semi-coincidence, Russian is definitely not.

    • by Anonymous Coward

      The discoverers of the malware named it:

      A first-stage RAT developed for SOHO routers which we dubbed ZuoRAT, based on the Chinese word for “left” (after the actor’s file name, “asdf.a”, which suggests keyboard walking of the lefthand home keys).

      https://blog.lumen.com/zuorat-... [lumen.com]

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday June 29, 2022 @04:14PM (#62660608) Homepage Journal

    ...in this case the summary is bad because the article is bad. It doesn't explicitly come out and say only MIPS devices are affected, you have to actually read and understand the article for that. It is not very complicated, only weird. The weirdness occurs around the first subhead, A high level of sophistication. Despite not having yet mentioned MIPS, it launches into the text seen in the Slashdot summary, "The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant[...]" The third paragraph of this section begins "The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT[...]"

    Instead of this "article", which appears to have been incompetently plagiarized from Lumen's ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks [lumen.com] , maybe it makes more sense just to go to the source for the all-important paragraph the author failed to copy:

    ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules). At present, we have not been able to recover the ruleset; however, we hypothesize that the hijack module was the access vector to the deployment of the subsequent shellcode loaders. Using Lumen global telemetry, we uncovered several infected routers acting as proxy C2 nodes.

    Footnote: CTIG Coverage of Black Lotus Labsâ(TM) ZuoRAT Report [cybrary.it] also offers some useful commentary.

    • Good catch; thank you.

    • As it is today I'd even expect that kind of behavior from ad makers and others that do personal profiling now that cookies aren't permitted to do the job anymore.

    • by mspohr ( 589790 )

      RTFS:
      The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

      • RTFS:

        Read my whole comment before replying, which you clearly failed to do. You are otherwise wasting everyone's time. I literally quoted part of that in my comment. Before you think you're all smart, make sure you're not being a dumbass.

    • by quenda ( 644621 )

      Black Lotus Labs, is currently tracking ... perform person-in-the-middle attacks

      Oh, FFS ... PITM!? How inclusive. Better make that "Lotus of Color Labs" though?

      • It's not very sensitive towards people who don't identify as people.

        • by quenda ( 644621 )

          It's not very sensitive towards people who don't identify as people.

          One day around the age of 6 or 7 I realized that maybe I was a toaster. I'm 22 now and although I don't look like a toaster on the outside I'm 100% toaster on the inside. First dates were always awkward but my gf (now fiancée) was surprisingly okay with it. We met at a bed bath and beyond and clicked immediately. She's a classic cuisinart stainless steel 4 slot toaster. Her extra wide slots drive me crazy and her crum tray makes me weak at the knees. All of our friends are very supportive and say we're

          • I'm so happy for the two of you. Love wins and toasts crumpets.

          • by piojo ( 995934 )

            No one should ever feel ashamed to be a toaster so I urge everyone who's in the pantry to come out and join the toaster community!

            "in the pantry" made your comment perfect!

            • by quenda ( 644621 )

              "in the pantry" made your comment perfect!

              I'd like to take credit, but not original and I forgot to tick the anon box.
              I have a loved one in the alphabet community, and it is impressive how they are willing to challenge old norms, but on occasion it is taken to silly extremes. We can laugh, no?

    • Comment removed based on user account deletion
  • Fritz!, hol den Flammenwerfer...

  • indeterminate origins

  • Just wondering about times when I've needed to connect to a school or work network with a phone or OSX. Since I can't trust those networks, but I have to connect, what can I do to reduce risk?

    • Yes, the best answer for an untrusted network is to use a VPN which blocks off all traffic from the non-VPN interface. Then you are effectively shielded from it unless there's a hole in your VPN that permits MITM.

  • Is this now America-America or the Post Truth Times (PTT) AMERIKA in German servers or some Nordic AMERIKA? Go figure, PTT piff....
  • Move to Singapore.. And Bam! Only pay 10%. Singapore is basically NYC with flip-flops anyway.
  • All the reports I have seen are very vague in this respect. They mention e.g. Netgear? Are all Netgear routers affected? If not, which ones are that are known about so far?

Real Programmers think better when playing Adventure or Rogue.

Working...