Researchers at Lumen’s Black Lotus Labs threat intelligence unit report that ZuoRAT is part of a highly targeted, sophisticated campaign that has been targeting workers across North America and Europe for nearly two years, beginning in October 2020. “The tactics, techniques and procedures (TTPs) that analysts observed are highly sophisticated and bear the markings of what is likely a nation-state threat actor,” Lumen said. SEE: Ransomware attacks: This is the data that cyber criminals really want to steal Lumen explains that, when the pandemic sent workers home in March 2020, threat actors were given a fresh opportunity to target SOHO routers – or edge network devices – that are rarely monitored or patched by corporate network admins and which fall outside traditional network perimeters. The firm believes the malware’s capabilities suggest it was the work of a highly sophisticated actor. These capabilities included: “gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications.” Lumen concedes it only has a narrow view of the actor’s broader capabilities but its researchers assess with “high confidence” that the elements it is tracking are part of a broader campaign. Also, Lumen estimates this campaign has impacted at least 80 targets, but it says likely many more have been affected. Black Lotus Labs notes that it observed telemetry indicating infections stemming from numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and Netgear. Elements of the campaign the researchers have gleaned to date include the ZuoRAT for SOHO routers, a loader for Windows compiled in C++, and three agents that allow device enumeration, downloading and uploading files, network (DNS/HTTP) communication hijacking, and process injection. The three agents included:
CBeacon – A custom developed RAT written in C++, which had the ability to upload and download files, run arbitrary commands and persist on the infected machine via a component object model (COM) hijacking method.GoBeacon – A custom-developed RAT written in Go. This trojan had almost the same functionality as CBeacon, but also allowed for cross-compiling on Linux and MacOS devices.Cobalt Strike – In some cases, this readily available remote access framework was used in lieu of either CBeacon or GoBeacon.
“Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve,” said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. “Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research. This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available.”