A novel multistage remote access trojan (RAT) that’s been active since April 2020 is exploiting known vulnerabilities to target popular SOHO routers from Cisco Systems, Netgear, Asus and others.
The malware, dubbed ZuoRAT, can access the local LAN, capture packets being transmitted on the device and stage man-in-the-middle attacks through DNS and HTTPS hijacking, according to researchers from Lumen Technologies’ threat-intelligence arm Black Lotus Labs.
The ability to not only hop on a LAN from a SOHO device and then stage further attacks suggests that the RAT may be the work of a state-sponsored actor, they noted in a blog post published Wednesday.“The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” researchers wrote in the post.
The level of evasion that threat actors use to cover up communication with command-and-control (C&C) in the attacks “cannot be overstated” and also points to ZuoRAT being the work of professionals, they said.
“First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content,” researchers wrote. “Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.”
Pandemic Opportunity
Researchers named the trojan after the the Chinese word for “left” because of the file name used by the threat actors, “asdf.a.” The name “suggests keyboard walking of the lefthand home keys,” researchers wrote.
Threat actors deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out and many workers were ordered to work from home, which opened up a host of security threats, they said.
“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched,” researchers wrote. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN.”
Multi-Stage Attack
From what researchers observed, ZuoRAT is a multi-stage affair, with the first stage of core functionality designed to glean information about the device and the LAN to which its connected, enable packet capture of network traffic, and then send the info back to command-and-control (C&C).
“We assess the purpose of this component was to acclimate the threat actor to the targeted router and the adjacent LAN to determine whether to maintain access,” researchers noted.
This stage has functionality to ensure only a single instance of the agent was present, and to perform a core dump that could yield data stored in memory such as credentials, routing tables and IP tables, as well as other info, they said.
ZuoRAT also includes a second component comprised of auxiliary commands sent to the router for use as the actor so chooses by leveraging additional modules that can be downloaded onto the infected device.
“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection,” researchers wrote.
This component provides capability for LAN enumeration capability, which allows the threat actor to further scope out the LAN environment and also perform DNS and HTTP hijacking, which can be difficult to detect, they said.
Ongoing Threat
Black Lotus analyzed samples from VirusTotal and its own telemetry to conclude that about 80 targets so far have been compromised by ZuoRAT.
Known vulnerabilities exploited to access routers to spread the RAT include: CVE-2020-26878 and CVE-2020-26879. Specifically, threat actors used a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py to gain credentials and load ZuoRAT, they said.
Due to the capabilities and behavior demonstrated by ZuoRAT, it’s highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices, but has been ” living undetected on the edge of targeted networks for years,” researchers said.
This presents an extremely dangerous scenario for corporate networks and other organizations with remote workers connecting to affected devices, noted one security professional.
“SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector,” observed Dahvid Schloss, offensive security team lead for cybersecurity firm Echelon, in an email to Threatpost.
Once a vulnerable device is compromised, threat actors then have free rein “to poke and prod at whatever device is connected” to the trusted connection that they hijack, he said.
“From there you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network,” Schloss said.