Researchers at Lumen’s Black Lotus Labs are reporting on a newly discovered multistage remote access trojan (RAT) dubbed ZuoRAT. The RAT has been used to target remote workers via small office/home office (SOHO) routers that are rarely patched and so easy points of entry. Researchers first noticed the attacks in April of 2020, coinciding with the increase in remote work due to the pandemic, and has spread across North America and Europe mostly undetected since then.
“… ZuoRAT and the correlated activity represent a highly targeted campaign against U.S. and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.
“The capabilities demonstrated in this campaign … points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years.”
SOHO firmware has gotten better throughout the years with them now signing the firmware before deployment which stops malicious firmware upload and adding some security functions to prevent exploitation. SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector. So, the only people screwing with it were people looking to create bot nets. Also, you don’t need an advanced C2 framework to sit in the firmware either, just getting to a terminal where you can upload busybox (a small executable that combines a ton of Unix commands, common to use for firmware testing where the commands are not organic) is enough. I’ve written SOHO malware in the past that is just a bash script running busybox to reverse SSH to a C2 server. Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it. From there you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network.