Black Lotus Labs, a threat intelligence team within Lumen Technologies, has recently exposed a new modus operandi for an attack campaign that went undiscovered for nearly two years. This campaign is highly sophisticated and possibly state-sponsored. One of its most intriguing characteristics is that it targets small office / home office (SOHO) routers as an initial point of compromise, in addition to being particularly stealth.
The ZuoRAT attack chain
At the beginning of this attack campaign, A MIPS file compiled for SOHO routers is pushed to routers by exploiting known vulnerabilities. This file is a malware dubbed ZuoRAT by the researchers, designed to collect information about the devices and LANit can access after infecting a computer.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Upon infection, the malware enumerates the hosts and internal LAN. It has the capability to capture network packets being transmitted over the infected device and perform a man-in-the-middle attack such as DNS and HTTP hijacking based on a predefined ruleset. While these rules could not be retrieved, the lab hypothesizes that this hijack operation is the access vector to the deployment of subsequent shellcode loaders on machines within the local network.
Upon execution, the malware also tries to figure out the public IP address of the router by querying various online services providing this information. If none answer, the malware deletes itself.
ZuoRAT seems to be a heavily modified version of the Mirai malware, which has targeted various IoT devices all around the world for several years already.
Several SOHO routers have also been used as proxy C2 nodes, rendering the investigations more difficult.
The next step is pivoting from the router to the network’s workstations, deploying a Windows loader that is used to download and execute one of three possible different trojans: CBeacon, GoBeacon or CobaltStrike (Figure A).
The Windows loader used by the threat actor is written in C++. Interestingly, it tries to disguise itself as a legitimate Tencent application by including a real Tencent certificate, although invalid.
The loader reaches out to a C2 server and downloads and executes the next stage, which is to run CBeacon, GoBeacon or Cobalt Strike.
CBeacon is a custom C++-developed RAT which can upload and download files, execute shellcode, run arbitrary commands and persist on the infected machine. It can also obtain information on the computer it runs on, such as the computer name, user name and operating system information, which is sent to a C2 server controlled by the threat actor.
GoBeacon is another custom-developed RAT, this time written in the Go programming language. It has the same functionalities as CBeacon, but is able to run on Linux and MacOS via cross-compiling, although no version was discovered for these operating systems at the time of writing.
Cobalt Strike is a known remote access and attack framework that is generally used by both penetration testers and attackers. A sample from April 2022 was discovered communicating with a hard-coded IP address belonging to Tencent Cloud in China. This sample revealed similar PDB string content as previously analyzed samples from ZuoRAT.
ZuoRAT’s infected devices and targets
Telemetry analysis from the researchers indicates infections from numerous SOHO manufacturers, including ASUS, Cisco, DrayTek and Netgear. Yet only the exploit script affecting the JCQ-Q20 router model was found at the time of releasing the research. In that case, the attackers used a known exploit from 2020 which allowed them to access the router by gaining credentials and then successfully load ZuoRAT.
It is highly probable that this method has been used on all routers: Injection of command line to obtain a valid authentication or an authentication bypass, then downloading and executing ZuoRAT on the device.
According to the telemetry, ZuoRAT and correlated campaign activity typically target American and western European organizations. Over a period of nine months, at least 80 targets were impacted, but researchers suspect there are likely many more.
How skilled are the ZuoRAT threat actors?
The campaign is executed in a very professional manner. The level of sophistication of this kind of attack makes the researchers believe that this campaign was possibly performed by a state-sponsored organization.
A strong effort has been done to stay undetected. The attacking infrastructure was in particular highly protected: Initial exploits came from a virtual private server hosting benign content, while several compromised routers were used as proxies to reach the C2 server. Those proxy routers rotated periodically to avoid detection.
The threat actor used Chinese characters and words several times, including in PDB debugging strings, and made use of Chinese services like Yuque, an Alibaba-owned cloud-based knowledge base, to store a shellcode.
Yet the threat actor also uploaded Arabic content on one of the IP addresses it used. Since that content is not associated with any other part of the campaign, the researchers suspect it may be a ruse to avert suspicion.
While the final goal of the attacker remains unknown, the methods used are consistent with cyberespionage rather than financial crime.
How to protect yourself from this threat
Regularly reboot routers and keep their firmware and software patched to prevent from being compromised by common vulnerabilities.
Deploy multi-factor authentication for every service or access from the company that is facing the Internet. This way, even with compromised credentials, an attacker will not be able to log in, because they will miss another channel of authentication.
Properly configured and up-to-date detection solutions working on hosts and on the network should also be deployed in order to detect such threats.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.