Several routers are under attack by ZuoRAT, a new and dangerous malware – Tecnoblog

At best deals,
no tail tied

I admit that I check for firmware updates for my router less than I should. That’s a danger. There is dangerous malware out there exploiting this type of device. O ZuoRAT it is an example. The plague has infected routers from brands like Cisco, Netgear and Asus. Possible consequences include data theft and redirection to malicious links.

Wi-Fi router (image: Lucas Braga/Tecnoblog)
Wi-Fi router (image: Lucas Braga/Tecnoblog)

The ZuoRAT was unveiled by Black Lotus Labs, the digital security division of Lumen Technologies. The organization found that the malware has been in operation since at least October 2020 and targets common Wi-Fi routers, the kind we use at home or in small offices.

Coincidence or not, the first records of plague activity go back to the time when many people were working from home because of the restrictions caused by COVID-19.

Black Lotus Labs found that ZuoRAT attacks routers from at least four brands: Cisco, Netgear, Asus, and Daytek. However, the possibility of models from other manufacturers also being infected is not ruled out.

But, after all, how does this malware act?

ZuoRAT is malware of the… RAT type

The suffix in the name is not there by chance. ZuoRAT is a Remote Access Trojan (RAT)-type malware. In other words, it is a trojan horse that allows the infected device to be remotely accessed or monitored by the attacker.

According to the researchers, once installed, the ZuoRAT can create a list of devices connected to the router or a report on network data traffic. From there, various actions can be initiated.

By default, the pest changes DNS addresses to make users access fake websites. The malware can also do an “HTTP hijack” so as to generate a 302 error to redirect the user to a malicious IP address.

Second part: install other malware

The ZuoRAT’s damage potential doesn’t end there. With approaches involving DNS and HTTP, the malware tries to direct the devices connected to the router to other malware.

One of them is the CBeacon trojan, written in C++ and aimed at Windows computers. The other is GoBeacon, a trojan horse developed in the Go language (note that the beginning of the malware name indicates the language used) to infect machines with Linux or macOS.

There is also a third malware that can be downloaded: Cobalt Strike Beacon. This is the name of a complex “tool” that many hackers use to test networks and contaminate devices connected to them.

The “binge” begins when these threats are installed. Any of these can cause the infected computer to download other malware, as well as give the attacker access to files or collected data.

To top it off, analysts at Black Lotus Labs explain that the actions that control or access routers infected by ZuoRAT are difficult to track. It is also not an easy task to identify malware activities on the router.

Summary of ZuoRAT's performance (image: reproduction/Black Lotus Labs)
Summary of ZuoRAT’s performance (image: reproduction/Black Lotus Labs)

Restarting the router can be a protective measure

ZuoRAT infects routers by exploiting unpatched security holes in them. But, at least so far, there are indications that the plague only seeks targeted targets, that is, it is not the type of malware that scans the internet for vulnerable devices.

Targets have been identified in North America and Europe, but nothing prevents the plague from claiming victims in other regions.

The most recommended protection measure is: install the latest firmware version of your router, following the manufacturer’s instructions. For anyone using an older router, it’s a good idea to replace it with a newer model if possible.

Among the recommendations given by Black Lotus Labs is a simple one: restarting the router regularly may be enough to eliminate ZuoRAT (and other malware), as this type of pest is usually stored in temporary directories. Note, however, that complete removal may require the equipment to be reset to factory settings.

Source link

About Admin

Check Also

New Pix rules come into effect next month

The Central Bank of Brazil released a statement this Thursday (12/01), informing that some changes …

Leave a Reply

Your email address will not be published. Required fields are marked *