A multistage remote access trojan (RAT), known as ZuoRAT, has been specifically developed to attack small office/home office (SOHO) routers. These devices have been more frequently used for work since the increase in home-working in 2020 due to the Covid-19 global pandemic. It is suspected that this attack has been going undetected for the past two years, and has primarily targeted SOHOs in North America and Western Europe. Lumen’s Black Lotus Labs have released a report this week explaining how this ZuoRAT malware works.
SOHO routers are connected to the home office LAN as well as used to communicate with important work file locations over the web, however they are rarely monitored or patched. An increase in home working provided attackers with the opportunity to attack these vulnerable routers with little chance of detection. It is suspected that this campaign began in October 2020, and at least 80 targets have suffered this attack so far.
The ZuoRAT attack begins by exploiting known vulnerabilities CVE-2020-26878 and CVE-2020-26879 using a Python-compiled Windows Potable Executable file to target SOHO routers such as ASUS, Cisco, DrayTek and NETGEAR, among others. This allowed the malware to obtain credentials, and manipulate the telnet command, using these to trigger the download of the ZuoRAT agent. In Lumen’s research, they noticed that ZuoRAT performs an IP query on the router to determine its public IP address, presumably to identify if it is running in a sandbox environment, and if an IP cannot be identified, then ZuoRAT deletes itself from the system.
ZuoRAT is a MIPS file which can capture packets through a man-in-the-middle attack on the infected device. A pre-defined HTTPS/DNS hijacking ruleset is contained in this malware, which enables a Windows loader file to be deployed. This in turn deploys one of three crafted trojans: CBeacon, written in C++; GoBeacon, assumed to be able to target Windows, Linux and Mac OS as it is written in Go; and Cobalt Strike, the often-abused red team tool that is frequently used in attacks. The loaded trojan is then able to upload and download files, collect host and LAN information, and uses proxy C2 nodes to facilitate this.
As many different SOHO makes and models appear to be vulnerable to this attack, it is hard to quantify just how widespread the risk is. All SOHO users should regularly reboot their routers, and Security Managers should develop a process to ensure the installation of security updates and patches in a timely manner for these devices which are located off the main corporate network. Businesses can monitor home workers to ensure these updates are being applied correctly, and can additionally consider other solutions such as Secure Access Service Edge (SASE) architecture to increase network security.