A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.
Dubbed ZouRAT, the malware has been deployed on devices in North America and Europe, as part of a sophisticated campaign targeting remote workers, which might have been conducted by a state-sponsored threat actor. At least 80 entities might have been impacted, the researchers estimate.
The attacks, which started in October 2020, targeted known vulnerabilities in SOHO routers from ASUS, Cisco, DrayTek, and NETGEAR for initial access, which then allowed the attackers to enumerate additional devices on the network and move laterally to more systems.
The Black Lotus Labs researchers also discovered evidence that workstations on the compromised network were likely infected with one of two custom RATs that enabled the attackers to download and upload files, to run commands, and achieve persistence.
ZuoRAT is a multi-stage RAT specifically targeting SOHO routers, and which is capable of enumerating the internal LAN, collecting data transmitted over the infected device, and performing man-in-the-middle attacks such as DNS and HTTP hijacking.
According to Black Lotus Labs, the use of SOHO routers for network enumeration and traffic hijacking implies a high level of sophistication by the threat actor behind the campaign, potentially hinting at a state-sponsored group.
A Windows loader used in the attacks was observed fetching a remote resource, likely to load a fully functional second-stage agent. Depending on the environment, the agent might have been a custom RAT (CBeacon – written in C++, or GoBeacon – written in Go, with cross-platform capabilities), or Cobalt Strike Beacon (used in lieu of either CBeacon or GoBeacon).
The ZuoRAT agent framework, the researchers say, can be divided into two components, one containing functions that would auto-run, and another comprised of functions that were likely meant to be called by additional commands.
The first component was meant to perform in-depth reconnaissance of the network, while the second component contained additional commands that would likely be run by modules downloaded based on the information gathered by the first component.
“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection. We focused on the LAN enumeration capability, which provided the actor additional targeting information for the LAN environment, and subsequent DNS and HTTP hijacking capabilities, attack styles that are traditionally difficult for defenders to detect,” Black Lotus Labs notes.
The researchers also identified obfuscated, multistage command and control (C&C) infrastructure, likely meant to serve the various phases of the malware infection. Furthermore, China-based third-party infrastructure, such as Yuque and Tencent, was used for C&C.
The attackers used a dedicated virtual private server (VPS) to deliver the initial exploit, then abused routers as proxies to hide C&C communication, and avoided detection by periodically rotating proxy routers.
Related: Stealthy ‘SockDetour’ Backdoor Used in Attacks on U.S. Defense Contractors
Related: US Details Chinese Attacks Against Telecoms Providers
Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls