Researchers have discovered a remote access Trojan currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America potentially the work of a state sponsored actor infecting atleast 80 victims till now
The malware known as ZuoRAT, makes its way onto routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.
ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks.
The malware targets routers from Cisco, Netgear, Asus, and DrayTek, although the report declined to specify individual router models.
Researchers noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique. The use of DNS and HTTP hijacking techniques congruently demonstrated a high level of sophistication by a threat actor, indicating the possibility of a state sponsored organization.
The multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection.
The researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.
These Trojans allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.
If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and auth byypass exploit script and lateral-movement capabilities.
Educating users on how to protect their home networks, their passwords, their financial information, increases their engagement and builds cybersecurity hygiene.
This research was conducted and documented by Lumens threat intelligence.
Indicators of Compromise