Tuesday, June 6, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

ZuoRAT Malware Found Hitting Home Routers

Researcher by Researcher
July 3, 2022
in Cybersecurity
0
ZuoRAT Malware Found Hitting Home Routers
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


An unknown team of attacker is using a newly discovered piece of malware to infect a range of SOHO routers, hijack DNS and HTTP traffic, and move laterally through compromised networks. The malware, which looks to be a modified version of the venerable Mirai codebase, is known as ZuoRAT and researchers believe it may be the work of a state-sponsored actor.

The attack campaign so far has targeted devices in Europe and North America from several manufacturers, including ASUS, Netgear, DrayTek, and Cisco, and the command-and-control servers that compromised devices communicate with are located in China. Researchers at Black Lotus Labs discovered the ZuoRAT malware and recovered the exploit script for one specific router, the JCG Q20. That script exploited two known vulnerabilities in the router, but it’s not known how the attackers are gaining access to the other known-exploited routers.

“Both the C2 and host IPs linked to the exploit were also located in China, with potential targeting in Hong Kong. We subsequently discovered a text file uploaded to VirusTotal by the same submitter as the exploit script which lists numerous IP addresses with the designator ‘HK,’ presumably referencing Hong Kong,” Black Lotus Labs said in an explanation of the attack.

“While the actor modified the proof-of-concept exploit script for the JCG-Q20 router model, the underlying logic remained the same: the script first performed command line injection to obtain authentication material, and then used the output from the command injection to perform an authentication bypass. This chain of vulnerabilities allowed the actor to download a binary, then execute it on the host.”

The Black Lotus Labs researchers first came across ZuoRAT while looking through a malware repository and noticing that it had some similarities to Mirai, the infamous malware that is often used in attacks on IoT devices.

“I saw some abnormal functions that didn’t look like typical Mirai behavior,” said Danny Adamitis, principal security researcher at Black Lotus Labs, the research arm of Lumen.

The exploit script has four main functions, including recovering the router’s password, extracting the sysauth cookie, starting a telnet session, and then removing any previous versions of the ZuoRAT and downloading and installing the latest version. The malware then performs some reconnaissance on the router and the local network, scanning for a list of open ports and then sending the information to the C2 server. Another function enables ZuoRAT to gather information about the DNS and WiFi settings on the router and the IP addresses and MAC addresses for other devices on the network.

“Once the threat actor obtained information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. These functions would look at the DNS requests that were being transmitted through the router and a custom DNS parser, providing statistics on the types of domains being requested by the victim. Other functions allowed the actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule,” the analysis says.

Adamitis said it’s not clear how the attackers are planting the ZuoRAT on other brands of routers, but it’s likely that they are using known flaws.

“We’d have to perform host forensics to figure that out but based on what we saw, it looks like they’re using known vulnerabilities,” he said. “These devices live outside of the normal security perimeter. They hit the home router and then they can get to the corporate network and they can circumvent some of the corporate security measures.”

The number of compromised routers hit by ZuoRAT is difficult to ascertain, but Adamitis said Lumen’s telemetry showed nearly 80 in the last few months.



Source link

Related articles

Learn how to protect your company from cyberattacks for just $46

Learn how to protect your company from cyberattacks for just $46

June 5, 2023
Decipher Podcast: Hazel Burton | Decipher

Decipher Podcast: Hazel Burton | Decipher

June 5, 2023
Tags: hittinghomemalwareroutersZuoRAT
Share76Tweet47

Related Posts

Learn how to protect your company from cyberattacks for just $46

Learn how to protect your company from cyberattacks for just $46

June 5, 2023
0

Cloud computing brings many business benefits, but it’s essential to know how to protect your data and operations. Image: StackCommerce...

Decipher Podcast: Hazel Burton | Decipher

Decipher Podcast: Hazel Burton | Decipher

June 5, 2023
0

Podcast Ransomware Task Force Ransomware Decipher Podcast: Megan Stifel Returns Megan Stifel, chief strategy officer for the Institute for Security...

Sentra Raises $30 Million for DSPM Technology

Galvanick Banks $10 Million for Industrial XDR Technology

June 5, 2023
0

Galvanick, an early-stage startup working on an Extended Detection & Response (XDR) platform for industrial infrastructure, has scored $10 million...

How to know what personal information Microsoft Edge knows about you

How to know what personal information Microsoft Edge knows about you

June 5, 2023
0

Users should be aware of what personal data is being collected and stored by Microsoft Edge and be prepared to...

FBI: Election Officials in Nine States Received Phishing Emails

Q&A: Megan Stifel | Decipher

June 4, 2023
0

"In many ways it's a heartbreaking problem, that small and medium-sized enterprises who are the lifeblood of the U.S. economy...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Learn how to protect your company from cyberattacks for just $46

Learn how to protect your company from cyberattacks for just $46

June 5, 2023
Decipher Podcast: Hazel Burton | Decipher

Decipher Podcast: Hazel Burton | Decipher

June 5, 2023
Sentra Raises $30 Million for DSPM Technology

Galvanick Banks $10 Million for Industrial XDR Technology

June 5, 2023
BNP Paribas and NatWest Go Live with CobaltFX’s ‘Dynamic Credit’ for FX Credit Management

BNP Paribas and NatWest Go Live with CobaltFX’s ‘Dynamic Credit’ for FX Credit Management

June 5, 2023

Recent Posts

Learn how to protect your company from cyberattacks for just $46

Learn how to protect your company from cyberattacks for just $46

June 5, 2023
Decipher Podcast: Hazel Burton | Decipher

Decipher Podcast: Hazel Burton | Decipher

June 5, 2023
Sentra Raises $30 Million for DSPM Technology

Galvanick Banks $10 Million for Industrial XDR Technology

June 5, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved