How can i check for gobeacon infection

I might be too paranoid, but since i am not exactly qualified when it comes to security, maybe it’s a good idea to ask here and get advice from more competent people.

This is making the rounds in news currently: A wide range of routers are under attack by new, unusually sophisticated malware | Ars Technica

I understand that if my router is infected, a factory reset will be enough.

One thing that i cannot figure out though is: since this is also targeting linux, how can i test my machine, and potentially clean up?

Any advice welcome! Thanks!

The discovery of custom-built malware written for the MIPS architecture […]

Manjaro doesn’t run on MIPS.

My understanding is that the MIPS part is the one that targets routers. An infected router will then infect machines that connect to it with trojans built for their respective architecture. (And the trojan is called gobeacon in the case of linux.)

Really not a security person so a lot of this is above my head.

ZuoRAT uses known security wholes and therefore targets outdated routers. Update your router and your should be good.

I will update my router.

My question is not so much about ZuoRAT though, but about gobeacon, the trojan a ZuoRAT infected router would have installed on my Manjaro laptop. How can i check if this is the case?

Isn’t that obviously? Ask yourself: Can a Windows Program run on Linux natively? …

1 Like

This is pretty obvious.

The article mentions Linux twice:

malware that takes full control of connected devices running Windows, macOS, and Linux

And further down:

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices.

I find the article makes it sound like gobeacon was specifically written for Linux and MacOS. Maybe it’s overly dramatic, i don’t know.

Indeed the graphic you copied has this “Windows Loader” part. But the text mentions Linux. I don’t think i should assume i am safe just because i don’t use Windows.

I connect to a lot of different routers with my laptop. Making sure i am never connecting to a problematic router is not really an option.

I will take it as “the article is overly dramatic and Linux is still too niche a target for me to have to worry about this”. But it is definitely not something i can have an authoritative opinion on.