Recently, Black Lotus Labs observed a sophisticated campaign, possibly performed by a state-sponsored organization. The campaign is distributing a multistage RAT, dubbed ZuoRAT, specially developed for small office/home office (SOHO) routers.
ZuoRAT operational details
ZuoRAT and the correlated activity represent a highly targeted campaign against North American and European organizations.
- The campaign targets numerous SOHO routers manufactured by ASUS, Cisco, DrayTek, and NETGEAR.
- The malware is deployed on a router, after exploiting known vulnerabilities (CVE-2020-26878 and CVE-2020-26879, in some cases), with the help of an authentication bypass exploit script.
- This campaign uses China-based third-party infrastructure such as Alibaba’s Yuque platform for covert command and control infrastructure and the Tencent platform as a redirector for command and control.
Core components
ZuoRAT appears to be a heavily modified version of the Mirai botnet. Its functionalities can be divided into two components: auto-run upon execution (core component) and explicitly embedded exportable functions (auxiliary commands).
- The core functionality component gathers information about the router and LAN, enables packet capture of network traffic, and sends the information back to the C2.
- The auxiliary commands focus on the LAN enumeration capability, which provides the actor with additional targeting information for the LAN environment, subsequent DNS and HTTP hijacking capabilities, persistence and agent maintenance, and attack styles that are traditionally difficult for defenders to detect.
The ZuoRAT malware campaign has been observed using a Windows loader to obtain a remote resource and ran it on the host machine. Furthermore, it was used to load one of the fully functional second-stage agents.
Conclusion
The capabilities demonstrated by ZuoRAT point to a highly sophisticated actor who has been possibly living undetected on the edge of targeted networks for years. For mitigation, organizations should ensure patch-planning for routers and confirm these devices are running the latest software available.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f47f_shutterstock_1414136747.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_401958334.jpg)
