A multistage ZuoRAT has been targeting a wide range of SOHO routers

New unusual malware targets home-office routers to spy on networks

ZuoRAT targes home office routers to obtain sensitive information or corporate data

ZuoRAT malware targets SOHO routers in North America and Europe. Hackers have employed the newly discovered multi-stage- remote access trojan to target remote workers via small office/ home office (SOHO) routers since 2020.^[1] Researchers believe this is the job of the state-sponsored hacker or a group.^[2] Security reports state that malware is highly targeted, and these campaigns show the complexity and sophisticated tactics and procedures of the threat actor.^[3]

Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN

This remote access trojan grants the threat actors ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications. This way it can maintain the access and be undetected. These stealthy operations target routers from ASUS, Cisco, DrayTek, and NETGEAR and have been running for two years already.

The campaign started back at the beginning of the global pandemic

The start of the pandemic and rapid shift to remote work motivated criminals to use the opportunity to subvert the traditional defense-in-depth protections and target these weak points of the new network perimeter. Home devices are now more purchased but rarely monitored or patched,^[4] so these SOHO routers can be a great target. This possibly state-backed hacker group has used this opportunity already.

The ZuoRAT, once deployed on the targeted router, bypasses the authentication, and attackers are provided with eh in-depth network reconnaissance capabilities and traffic collection via passive network sniffing.^[5] The malware allows to compromise of other devices on the same network and launch other malware like Cobalt Strike beacons by relying on DNS and HTTP hijacking.

It was discovered that two other trojans got delivered onto already hacked devices during these attacks. C++-based one dubbed CBeacon that targeted Windows workstations and a go-based threat named GoBeacon. This one could infiltrate Linux and Mac systems besides targeting Windows machines.

Sophisticated actors affecting networks for years

Those additional malware deployments helped attackers to download, upload various files, run commands, hijack network traffic and inject other processes to gain persistence on those compromised devices. Those routers that got compromised were also added to the botnet used to proxy command and control traffic to hinder detection efforts. Analysis shows that the group affected at least 80 separate targets.

These capabilities of gaining access to SOHO devices of different models, collecting host and LAN information, sampling and hijacking network communications to gain persistence and access to in-land devices, and leveraging multi-stage soloed router to router communications indicate a highly sophisticated actor group behind the campaign. It is possible that these campaigns were running undetected on the edge of targeted networks for years.

Organizations should keep a close watch on that small office or home office devices too, and look out for any signs of activity outlined by the Black Lotus Lab research team. These sophisticated and highly targeted campaigns can indicate that attackers are not limited to the small number of victims that have been already discovered. It is possible to mitigate the risk and patch planning that includes router devices could be one of the methods.