Remote employees in North America and Europe have been targeted by a newly found multistage remote access Trojan (RAT) named ZuoRAT. According to the information that is revealed, the malware has been abusing SOHO routers since 2020.
Lumen’s Black Lotus Labs experts who discovered the virus noted that this highly targeted campaign’s sophistication, as well as the hackers’ tactic, technique and procedure (TTPs) are all signs of state-sponsored malware.
After being installed on a router that is unpatched against known security weaknesses, the multi-stage ZuoRAT virus allows the attackers to perform in-depth network surveillance and collect traffic information through passive network sniffing. In addition, ZuoRAT enables the use of DNS and HTTP hijacking to move laterally and deliver other malicious payloads (such as Cobalt Strike beacons) on the network.
Devices hacked during the attack campaign were injected with two custom Trojans – a C++-based Trojan called CBeacon aimed at Windows workstations and a Go-based Trojan nicknamed GoBeacon that was aimed at Linux and Mac computers.
So-called SOHO routers, which are frequently used but rarely patched, provide a new avenue for threat actors to capture data in transit, hijack connections, and infect devices on nearby networks.
Employees have been using SOHO routers (such as those from ASUS, Cisco, DrayTek, and NETGEAR) to access company assets from their homes since the start of the COVID-19 pandemic when there was a rapid shit to remote work and this, according to the report, is roughly when the ZuoRAT campaign began. As a result, many well-established businesses’ traditional defense-in-depth posture was undermined because of this quick change to remote work caused by the epidemic.
ZuoRAT attack campaign
The information that has been revealed links to a hypothesis that a highly skilled actor, who has been able to remain undetected for years, stands behind this campaign. During the attacks, the malicious actor has been able to gain access to SOHO devices of various brands and models, collect host and LAN information, sample and hijack network communications to gain potentially persistent access to in-land devices, and intentionally steal C2 infrastructure by leveraging multi-stage siloed router to router communications.
The threat actor was also able to download and upload files, perform arbitrary instructions, hijack network traffic, inject new processes, and achieve persistence on compromised devices thanks to the additional malware installed on computers inside victims’ networks (i.e., CBeacon, GoBeacon, and Cobalt Strike). The researchers reveal that detection attempts were hindered by the addition of certain hacked routers to a botnet and the usage of these routers to proxy command and control traffic (C2).
Based on VirusTotal submissions and Black Lotus Labs data, experts believe that at least 80 targets have been affected by the campaign. Mark Dehus, Black Lotus Labs director of threat intelligence, urged organizations to keep an eye on SOHO devices and check for any sign of abnormal behavior indicated in the report since a campaign with this degree of sophistication may not be restricted to the few victims who have been detected. To reduce the risk of being attacked, companies should make sure that routers are included in their patch planning and that these devices are running the most recent software.