ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks
A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks.
The malware grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.
The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years.
Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network's perimeter.
Initial access to the routers is obtained by scanning for known unpatched flaws to load the remote access tool, using it gain access to the network and drop a next-stage shellcode loader that's used to deliver Cobalt Strike and custom backdoors such as CBeacon and GoBeacon that are capable of running arbitrary commands.
In addition to enabling in-depth reconnaissance of target networks, traffic collection, and network communication hijacking, the malware has been described as a heavily modified version of the Mirai botnet.
"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules.
Also included is a function to harvest TCP connections over ports 21 and 8443, which are associated with FTP and web browsing, potentially enabling the adversary to keep tabs on the users' internet activity behind the compromised router.
Other capabilities of ZuoRAT allow the attackers to monitor DNS and HTTPS traffic with an aim to hijack the requests and redirect the victims to malicious domains using preset rules that are generated and stored in temporary directories in an attempt to resist forensic analysis.
To further avoid detection, the staging server has been spotted hosting seemingly innocuous content, in one instance mimicking a website called "muhsinlar.net," a propaganda portal set up for the Turkestan Islamic Party (TIP), a Uyghur extremist outfit originating from China.
The identity of the adversarial collective behind the campaign remains unknown, although an analysis of the artifacts has revealed possible references to the Chinese province of Xiancheng and the use of Alibaba's Yuque and Tencent for command-and-control (C2).
The elaborate and evasive nature of the operation coupled with the tactics used in the attacks to remain undercover point toward potential nation-state activity, Black Lotus Labs noted.
"The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor.