A recently discovered Trojan horse, dubbed ZuoRAT, targets professionals working from home by exploiting flaws in their routers, which are often not sufficiently protected. According to teams at Lumen’s Black Lotus Labs cybersecurity firm, ZuoRAT is part of a highly targeted and sophisticated campaign that has been targeting professionals in Europe and North America for almost two years, that is, for the start of the health crisis.
“The tactics, techniques, and procedures that analysts have observed are very sophisticated and bear the hallmarks of what is likely a nation-state threat actor,” said Lumen, who first spotted this malware beginning of October 2020. And to explain that with the rise of telework, threat actors have seized the opportunity to specifically target home routers, which are rarely monitored or corrected by corporate network administrators because they are located outside traditional network perimeters.
The company believes that the malware’s capabilities suggest it is the work of a very sophisticated actor. These capabilities include: “accessing SOHO devices of different makes and models, collecting host and local network information to inform targeting, sampling and hijacking network communications to gain access potentially persistent to devices inside the country and an intentionally stealthy C2 infrastructure leveraging communications between routers in tiered silos.”
Many victims already counted
Lumen admits he only has a narrow reading of the broader capabilities of the actor behind this malware, but his researchers believe with “high confidence” that the items he is tracking are part of a larger campaign. The company estimates that the ZuoRAT-based campaign has already claimed at least 80 victims, although it is likely that many more have been affected.
Black Lotus Labs observed telemetry indicating infections from numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek, and Netgear. Campaign elements researchers have gleaned so far include ZuoRAT attacks on home routers, a C++-compiled loader for Windows, and three agents that enable device enumeration, file downloading, and uploading. , network communications hijacking (DNS/HTTP), and process injection.
The three agents are:
- CBeacon – A custom-developed RAT written in C++, which had the ability to download files, execute arbitrary commands, and persist on the infected machine via a component-object model (COM) hijacking method.
- GoBeacon – A custom-developed RAT written in Go. This Trojan had almost the same functionality as CBeacon, but also allowed cross-compilation on Linux and MacOS devices.
- Cobalt Strike – In some cases, this readily available remote access framework was used instead of CBeacon or GoBeacon.
“Malicious campaigns targeting routers pose a serious threat to businesses because routers sit outside the conventional security perimeter and often have weaknesses that make compromising them relatively easy to achieve,” said Mark Dehus, director of intelligence at threats to Lumen Black Lotus Labs.
“Organizations should closely monitor devices remotely and look for any signs of activity described in this study. This level of sophistication leads us to believe that this campaign may not be limited to the small number of observed victims. To mitigate the threat , they should ensure that the patch planning includes the routers and confirm that these devices are running the latest software available.”
Source: ZDNet.com