A new multi-stage Remote Access Trojan (RAT) that has been active since April 2020 is exploiting known vulnerabilities to target popular SOHO routers from Cisco Systems, Netgear, Asus etc.
Devices from Cisco, Netgear & others at risk from the multi-stage malware, which shows the work of a sophisticated threat player.
Local LAN
The malware, named ZuoRAT, can access the local LAN, capture packets being transmitted on the device & stage ‘man-in-the-middle’ attacks through DNS & HTTPS hijacking, according to researchers from Lumen Technologies’ threat-intelligence arm Black Lotus Labs.
The ability to not only ‘piggyback’ onto a LAN from a SOHO device & then stage further attacks suggests that the RAT may be the work of a state-sponsored player, they noted in a blog post published Wed.
“The use of these 2 techniques demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation,” researchers wrote.
Level of Evasion
The level of evasion that threat players use to cover up communication with Command-&-Control (C&C) in the attacks “cannot be overstated” & also points to ZuoRAT being the work of professionals, they observed.
“1st, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content,” researchers wrote.
“Next, they used routers as proxy C2s that ‘hid in plain sight’ through router-to-router communication to further avoid detection. Finally, they rotated proxy routers periodically to avoid detection.”
Pandemic
Researchers named the trojan after the Chinese word for “left” because of the file name used by the threat players, “asdf.a.” The name “suggests keyboard walking of the lefthand home keys,” researchers noted
Threat players deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out & many workers were ordered to work from home, which opened up a host of security threats, they commented.
Shift to Remote Work
“The rapid shift to remote work in Spring 2020 presented a fresh opportunity for threat actors to subvert traditional defence-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched,” researchers wrote.
“Actors can use SOHO router access to maintain a low-detection presence on the target network & exploit sensitive information transiting the LAN.”
Multi-Stage
From what researchers observed, ZuoRAT is a multi-stage player, with the 1st stage of core functionality designed to gain information about the device & the LAN to which its connected, enable packet capture of network traffic, & then send the info back to Command-&-Control (C&C).
“We assess the purpose of this component was to acclimate the threat actor to the targeted router & the adjacent LAN to determine whether to maintain access,” researchers surmised.
This stage has functionality to ensure only a sole case of the agent was present, & to perform a ‘core dump’ that could yield data stored in memory such as credentials, routing tables & IP tables, as well as other info, they stated.
Auxiliary Commands
ZuoRAT also includes a 2nd component comprised of auxiliary commands sent to the router for use as the player so chooses by using additional modules that can be downloaded onto the infected device.
“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration & code injection,” researchers wrote.
This component provides capability for LAN enumeration capability, which allows the threat player to further check out the LAN environment & also perform DNS & HTTP hijacking, which can be difficult to detect, they observed.
Ongoing Threat
Black Lotus analysed samples from Virus Total & its own data to conclude that about 80 targets as yet have been seemingly compromised by ZuoRAT.
Known vulnerabilities exploited to access routers to spread the RAT include: CVE-2020-26878 & CVE-2020-26879. Specifically, threat players used a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py to gain credentials & load ZuoRAT, they commented.
Actively Targeting
Due to the capabilities & behaviour demonstrated by ZuoRAT, it is highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices but has been ” living undetected on the edge of targeted networks for years,” researchers suggested.
This presents an extremely dangerous situation for corporate networks & other organisations with remote workers connecting to affected devices, noted a security professional.
“SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector,” observed Dahvid Schloss, Offensive Security Team Lead for cyber-security firm Echelon.
Vulnerable Device
When a vulnerable device becomes compromised, threat players then have the freedom “to ‘poke’ & ‘prod’ at whatever device is connected” to the trusted connection that they hijack, he explained.
“From there you could attempt to use proxy-chains to throw exploits into the network or just monitor all the traffic going in, out, & around the network,” Schloss concluded.
