Small office/home office (SOHO) routers have been singled out by a previously unknown remote access trojan known as ZuoRAT as part of a sophisticated operation against North American and European networks. Researchers at Lumen Black Lotus Labs wrote in a report that the malware “rants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.”
The covert operation, which targeted routers made by ASUS, Cisco, DrayTek, and NETGEAR, is thought to have started in the early months of the COVID-19 pandemic in 2020. As a result, it went unnoticed for more than two years. According to the company’s threat intelligence team, one of the weakest spots of a network’s perimeter, SOHO routers are often used by consumers and remote workers but are seldom monitored or patched.
The remote access tool is loaded after first searching for known unpatched vulnerabilities to access the routers. This tool then drops a next-stage shellcode loader that launches Cobalt Strike and bespoke backdoors like CBeacon and GoBeacon that can execute arbitrary commands. The malware has been described as a substantially modified variant of the Mirai botnet, whose source was leaked in October 2016. It is capable of comprehensive reconnaissance of target networks, traffic collecting, and network communication hijacking.
“ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules),” said the researchers.
The adversary may be able to monitor user internet behavior by using a function to collect TCP connections through the FTP and web browsing ports of 21 and 8443, respectively, which are also present in the hacked router. With the help of ZuoRAT’s additional features, attackers can keep an eye on DNS and HTTPS traffic with the intention of hijacking requests and rerouting victims to malicious domains using pre-made rules that are generated and stored in temporary directories to evade forensic analysis.
The hackers also used a virtual private server to drop the original RAT vulnerability and infected routers as proxy C2 servers, so these are not the only steps they used to hide their activity. The attacks rely on complex, multistage C2 servers. The staging server has been seen displaying seemingly innocent information to further evade discovery, including one occasion when it imitated the website “muhsinlar.net,” a propaganda platform created for the Turkestan Islamic Party (TIP), an Islamist Uyghur group with Chinese roots.
Although an investigation of the artifacts showed potential allusions to the Chinese region of Xiancheng and the employment of Alibaba’s Yuque and Tencent for command-and-control (C2), the name of the antagonistic group behind the effort is still unclear. According to Black Lotus Labs, the operation’s complex and elusive character, as well as the strategies employed in the attacks to remain undetected, indicate possible nation-state action.