ZuoRAT malware hijacks SOHO Routers to spy in the vitims

A new RAT dubbed ZuoRAT was employed in a campaign aimed at small office/home office (SOHO) routers in North American and Europe.

Researchers from Black Lotus Labs, the threat intelligence division of Lumen Technologies, have discovered a new remote access trojan (RAT) called ZuoRAT, which targets small office/home office (SOHO) devices of remote workers during COVID-19 pandemic.

The malware was designed to target routers from ASUS, Cisco, DrayTek, and NETGEAR.

The experts believe that attacks are part of a sophisticated campaign that went undetected for nearly two years. The level of complexity of the tactics, techniques and procedures (TTPs) observed by the researchers lead them into believing that the campaign is carried out by a nation-state actor.

“We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.” reads the report published by Lumen.

The attack chain starts by scanning for devices vulnerable to known issues to load the remote access tool and gain a foothold in the target network. Then the malicious code drops a shellcode loader that is used to drop Cobalt Strike beacons and custom backdoors such as CBeacon and GoBeacon.

The ZuoRAT RAT allows operators to perform in-depth reconnaissance of target networks, traffic collection and network communication hijacking. The RAT is composed of two components, the first one included functions that would auto-run upon execution of the file and the one included functions that were embedded into the file but were not explicitly called. Experts believe these functions were implemented to be called by additional commands. Experts speculate ZuoRAT is based on the Mirai malware, but it is a heavily modified version.

The first component includes multiple functions that allow operators to collect network traffic on UDP, DNS and some TCP connections.

“A function was then initialized to collect TCP connections over the following specified ports: 20, 21 (associated with FTP connection), 80, 8080, 443 and 8443 (associated with web-based activity). This could allow the threat actor to obtain any credential passed in the clear, and gain insight into the browsing activity performed by the end user behind the compromised router.” continues the report.

ZuoRAT is also able to hijack DNS and HTTPS requests, and redirect the victims to malicious domains.

The malware hides its traffic through obfuscated, multistage C2 infrastructure, threat actors also deliver the first stage payload from a dedicated virtual private server (VPS) that hosted benign content. Then they rely on routers as proxy C2s that hid in plain sight through router-to-router communication to avoid detection. The operators also rotated proxy routers periodically to fly under the radar.

The experts did not attribute the campaign to a specific threat actor, but the investigation suggest the involvement of Chinese threat actors.

“The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor,” the researchers concluded.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZuoRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]