Researchers at Lumen’s Black Lotus Labs are reporting on a newly discovered multistage remote access trojan (RAT) dubbed ZuoRAT. The RAT has been used to target remote workers via small office/home office (SOHO) routers that are rarely patched and so easy points of entry. Researchers first noticed the attacks in April of 2020, coinciding with the increase in remote work due to the pandemic, and has spread across North America and Europe mostly undetected since then.
“… ZuoRAT and the correlated activity represent a highly targeted campaign against U.S. and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.
“The capabilities demonstrated in this campaign … points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years.”