Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

SOHO Routers in North America and Europe Targeted With ‘ZuoRAT’ Malware

A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

Dubbed ZouRAT, the malware has been deployed on devices in North America and Europe, as part of a sophisticated campaign targeting remote workers, which might have been conducted by a state-sponsored threat actor. At least 80 entities might have been impacted, the researchers estimate.

The attacks, which started in October 2020, targeted known vulnerabilities in SOHO routers from ASUS, Cisco, DrayTek, and NETGEAR for initial access, which then allowed the attackers to enumerate additional devices on the network and move laterally to more systems.

The Black Lotus Labs researchers also discovered evidence that workstations on the compromised network were likely infected with one of two custom RATs that enabled the attackers to download and upload files, to run commands, and achieve persistence.

ZuoRAT is a multi-stage RAT specifically targeting SOHO routers, and which is capable of enumerating the internal LAN, collecting data transmitted over the infected device, and performing man-in-the-middle attacks such as DNS and HTTP hijacking.

According to Black Lotus Labs, the use of SOHO routers for network enumeration and traffic hijacking implies a high level of sophistication by the threat actor behind the campaign, potentially hinting at a state-sponsored group.

A Windows loader used in the attacks was observed fetching a remote resource, likely to load a fully functional second-stage agent. Depending on the environment, the agent might have been a custom RAT (CBeacon – written in C++, or GoBeacon – written in Go, with cross-platform capabilities), or Cobalt Strike Beacon (used in lieu of either CBeacon or GoBeacon).

The ZuoRAT agent framework, the researchers say, can be divided into two components, one containing functions that would auto-run, and another comprised of functions that were likely meant to be called by additional commands.

Advertisement. Scroll to continue reading.

The first component was meant to perform in-depth reconnaissance of the network, while the second component contained additional commands that would likely be run by modules downloaded based on the information gathered by the first component.

“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection. We focused on the LAN enumeration capability, which provided the actor additional targeting information for the LAN environment, and subsequent DNS and HTTP hijacking capabilities, attack styles that are traditionally difficult for defenders to detect,” Black Lotus Labs notes.

The researchers also identified obfuscated, multistage command and control (C&C) infrastructure, likely meant to serve the various phases of the malware infection. Furthermore, China-based third-party infrastructure, such as Yuque and Tencent, was used for C&C.

The attackers used a dedicated virtual private server (VPS) to deliver the initial exploit, then abused routers as proxies to hide C&C communication, and avoided detection by periodically rotating proxy routers.

Related: Stealthy ‘SockDetour’ Backdoor Used in Attacks on U.S. Defense Contractors

Related: US Details Chinese Attacks Against Telecoms Providers

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.