ZuoRAT Exploits Weaknesses in SOHO Routers to Target Remote Employees
It Is Believed the Infection Was Created by a Sophisticated Actor
A Remote Access Trojan (RAT) is a type of malware that provides the attacker with full remote control over your system. When a RAT reaches your computer, it allows the hacker to easily access your local files, secure login authorization, and other sensitive information, or use that connection to download viruses you could unintentionally pass on to others.
By taking advantage of vulnerabilities in small office/home office (SOHO) routers, which are often not patched, a recently found remote access trojan (RAT) known as ZuoRAT has targeted remote employees.
Researchers at Lumen’s Black Lotus Labs threat intelligence unit have reported that ZuoRAT is a component of a highly targeted and sophisticated campaign that has been targeting workers across North America and Europe for nearly two years, beginning in October 2020. The campaign is expected to continue targeting workers across these regions until October 2020.
Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve.
In this campaign, we have observed a threat actor’s capability to exploit SOHO routers, covertly access and modify internet traffic in ways difficult to detect and gain additional footholds in the compromised network.
Lumen explains that when workers were sent home due to the pandemic in March 2020, threat actors were given a new opportunity to target SOHO routers, also known as edge network devices. These routers are rarely monitored or patched by corporate network admins because they fall outside of traditional network perimeters, and this gave threat actors the chance to target SOHO routers.
The RAT is able to:
- gain access to SOHO devices of various makes and models;
- collect host and LAN information to inform targeting; sampling and hijacking network communications to gain potentially persistent access to in-land devices;
- intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications.
The company admits that it only has a limited picture of the actor’s more extensive capabilities; but, the company’s experts have “high confidence” that the pieces it is monitoring are part of a larger effort, and believe that this effort has had an effect on at least 80 targets, but it believes that the number is most likely far higher.
The investigators have only uncovered certain aspects of the campaign. These aspects include the ZuoRAT for SOHO routers, a loader for Windows that was written in C++, and three agents that enable device enumeration, the downloading and uploading of files, the hijacking of network (DNS/HTTP) communication, and the injection of processes.
As ZDNet reported, the three agents included:
- CBeacon – A custom developed RAT written in C++, which had the ability to upload and download files, run arbitrary commands and persist on the infected machine via a component object model (COM) hijacking method.
- GoBeacon – A custom-developed RAT written in Go. This trojan had almost the same functionality as CBeacon, but also allowed for cross-compiling on Linux and MacOS devices.
- Cobalt Strike – In some cases, this readily available remote access framework was used in lieu of either CBeacon or GoBeacon.
Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research. This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available.