Researchers uncover ZuoRAT malware targeting home-office routers

Black Lotus Labs discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices, including models from ASUS, Cisco, DrayTek and NETGEAR.

Overview of campaign elements

ZuoRAT is part of a complex campaign that went undetected for nearly two years. The tactics, techniques and procedures (TTPs) that analysts observed bear the markings of what is likely a nation-state threat actor.

The campaign included ZuoRAT – a multi-stage RAT developed for SOHO routers leveraging known vulnerabilities – which allowed the threat actor to enumerate the adjacent home network, collect data in transit, and hijack home users’ DNS/HTTP internet traffic. The actor was able to remain undetected by living on devices rarely monitored, and by hijacking DNS and HTTP traffic.

The hijacking capability allowed the threat actor to pivot from the router to workstations in the network where they likely deployed two additional custom-built RATs – one of which allowed for cross-platform functionality (i.e. Windows, Linux and MacOs). These additional RATs allowed the actor to upload/download files, run commands and persist on the workstation.

Black Lotus Labs also identified two distinct sets of command-and-control (C2) infrastructure. The first was developed for the custom workstation RAT and relied upon third-party services from Chinese companies. The second set of C2s was developed for the routers.

Using proprietary telemetry, researchers identified that, once infected, the routers communicated with other compromised routers to further obfuscate malicious activity.

“Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve,” said Mark Dehus, director of threat intelligence for Black Lotus Labs. “In this campaign, we have observed a threat actor’s capability to exploit SOHO routers, covertly access and modify internet traffic in ways difficult to detect and gain additional footholds in the compromised network.”

Dehus continued, “Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research. This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available.”

For IoCs associated with this campaign, visit this GitHub page.