New Malware Remotely Accesses Offices and Homes | Ron Benvenisti

A newly discovered remote access trojan horse malware is compromising small office and home routers as part of targeting North American as well as European networks.

Researchers from Lumen Black Lotus Labs reported the malware “grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.” Targeted routers are manufactured by ASUS, Cisco, DrayTek, and NETGEAR, which are the most popular used in office networks. It is believed to first being introduced in the initial months of the 2020 COVID-19 pandemic, remaining unseen since.

“Consumers and remote employees routinely use small office and home office (SOHO) routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network’s perimeter,” the company’s threat intelligence team said. The malware can easily use the compromised router to push custom trojans to any other workstations on the network. By monitoring the traffic, it can and redirect the victims to malicious web domains using tailored generated rules that to resist forensic analysis.

Access by scanning for the known unpatched flaws in these routers finds a vector to load a remote access tool, gain and drop a next-stage loader used to deliver backdoors that are capable of running commands remotely.

The attack performs deep reconnaissance and collects network traffic and hijacks communications over the network. This way it captures packets (with private and proprietary information) transmitted over the infected device. Person to person communications known as man-in-the-middle attacks can exfiltrate connections over common ports such as port 21, used for file transfers and port 8443, used for web browsing, to keep monitor users’ internet activity inside the network.

The hackers can hide a virtual private server to drop the initial malware use the routers as proxy C2 servers. These servers act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Many hacker tools exist that enable traffic redirection through proxies.

“The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor,” the researchers concluded.

The malware can mimic websites like propaganda portals such as those set up for international dissemination, one of which was identified as Uyghur extremist outfit originating from China.

The identity of the malicious actors remains unknown at this time, but a limited analysis shows possible references to the Chinese province of Xiancheng and the use of Alibaba’s Yuque and Tencent networks for command-and-control via the C2 proxy server scheme.

The complex nature of the evasive tactics used in the attacks can potentially have national security implications.

 

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

© Copyright | The Lakewood Scoop. All Rights Reserved