Security researchers have discovered unusually sophisticated malware that has been targeting small office/home office (SOHO) routers for nearly two years, taking advantage of the pandemic and the rapid shift to remote working.
These routers are rarely monitored or updated, making them attractive targets for hackers to reach adjacent corporate networks. According to Lumen’s Black Lotus Labs, this sophisticated campaign “has been active in North America and Europe for almost two years starting in October 2020.”
Attacks include ZuoRAT, a multi-stage remote access trojan (RAT) that specifically exploits known vulnerabilities in SOHO routers to hijack DNS and HTTP traffic. The objective is to pivot from the router to the workstations in the targeted network, where other RATs will be deployed to establish persistent and undetected communication channels (C2 servers).
The name “ZuoRAT” is based on the Chinese word for “left” (from the actor’s filename, “asdf.a”, which suggests left-hand keyboard progression). For now, the Advanced Persistent Threat (APT) group behind the campaign remains unknown.
Check out the best Wi-Fi 6 routers that are secure and fast enough for business
State-sponsored hacking campaign
ZuoRAT is deployed to “enumerate a host and internal LAN, capture transmitted packets on the infected device, and perform person-in-the-middle attacks,” the researchers wrote, suggesting a complex operation, likely performed by a group. state sponsored. . The diagram below from Black Lotus Labs gives a good overview of the campaign:
Evidence containing Chinese characters and references to “sxiancheng” was found in several Windows samples. The C2 servers that interact with the Windows RATs were hosted on internet services from China-based organizations such as Alibaba’s Yuque and Tencent.
Researchers believe that ZuoRAT is a “heavily modified version of the Mirai malware”. The campaign is quite advanced, judging by the technical details and the TTP (tactics, techniques and procedures) used to evade detection.
Hackers even disguised their server with fake landing pages like this:
All of these procedures and the use of proxy servers in multiple countries may seem like a maze, but researchers believe hackers built it on purpose to cover their tracks.
See the best antivirus software
How to protect against ZuoRAT
Defenders and security teams can find the full list of IoCs (indicators of compromise) on this GitHub page.
It is important to note that ZuoRAT will not be cleaned after a simple reboot and may even require a factory reset. Because it can deploy other malware on various operating systems, including Windows, Linux, and macOS, it will likely spread to any connected device, so it’s not just the router.
The shift to remote work can be problematic for corporate network security, as even the most secure organizations need to allow some external traffic. However, although users and administrators cannot capture everything, good practices are useful, for example:
- SOHO router users should apply security updates. Aggressive patching is often a good approach, although it can have some downsides like incompatibilities and bugs.
- EDR solutions can spot unusual activity or agents on machines connected to a network.
- And a zero-trust framework can help verify users and limit access.
It’s always the same process: attackers look for easy prey to gain first access. APT groups typically focus on stealth, which often involves bypassing and slewing from compromised routers.
Read Next: Best Wi-Fi Security and Performance Testing Tools