Security researchers have uncovered an unusually sophisticated malware that has been targeting small office/home office (SOHO) routers for nearly two years, taking advantage of the pandemic and rapid shift to remote work.
Such routers are rarely monitored or up-to-date, making them attractive targets for hackers to reach adjacent corporate networks. According to Lumen’s Black Lotus Labs, this sophisticated campaign “has been active in North America and Europe for nearly two years beginning in October 2020.”
The attacks include ZuoRAT, a multi-stage remote access Trojan (RAT) that specifically exploits known vulnerabilities in SOHO routers to hijack DNS and HTTP traffic. The goal is to pivot from the router to workstations in the targeted network, where other RATs will be deployed to establish persistent and undetected communication channels (C2 servers).
The name “ZuoRAT” is based on the Chinese word for “left” (after the actor’s file name, “asdf.a”, which suggests a keyboard progression of the left hand). For now, the advanced persistent threat (APT) group behind the campaign remains unknown.
See The Best Wi-Fi 6 Routers Secure and Fast Enough for Business
State-Sponsored Hacking Campaign
ZuoRAT is deployed to “enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks,” the researchers wrote, which suggests a complex operation, probably performed by a state-sponsored group. The schema below from Black Lotus Labs gives a nice overview of the campaign:
Evidence containing Chinese characters and references to “sxiancheng” were found in multiple Windows samples. C2 servers that interact with the Windows RATs were hosted on internet services from China-based organizations such as Alibaba’s Yuque and Tencent.
Researchers believe ZuoRAT is a “heavily modified version of the Mirai malware.” The campaign is pretty advanced, judging from the technical details and the TTP (tactics, techniques and procedures) used to evade detection.
The threat actors even disguised their server with fake landing pages like this one:
All these procedures and the use of proxy servers in multiple countries might seem like a labyrinth, but researchers believe hackers built it on purpose to cover their tracks.
See the Best Antivirus Software
How to Protect Against ZuoRAT
Defenders and security teams can find the complete list of IoCs (indicators of compromise) on this GitHub page.
It’s important to note that ZuoRAT won’t be cleaned after a simple reboot and may even require a factory reset. Because it can deploy other malware on various operating systems, including Windows, Linux and macOS, it will likely spread to any connected device, so it’s not just about the router.
The shift to remote work can be problematic for the security of corporate networks, as even the most secure organizations have to allow in some external traffic. However, while users and admins won’t be able to catch everything, good practices do help, for example:
- Users of SOHO routers should apply security updates. Aggressive patching is often a good approach, even if it can have some inconveniences like incompatibilities and bugs.
- EDR solutions can spot unusual activities or agents on the machines connected to a network.
- And a zero trust framework can help verify users and limit access.
It’s always the same process: attackers look for easy prey to gain initial access. APT groups usually focus on stealth, which often involves taking bypaths and pivoting from compromised routers.