Last year, cyberattacks against corporate networks reached record-setting levels in terms of frequency and size, mostly because of the Log4J vulnerability that was left unpatched by many organizations for several months. Earlier this month, a new and hard-to-detect malware was discovered on Linux-based systems that had been stealing credentials and enabling remote access for malicious actors. In a similar vein, a new stealthy remote access trojan dubbed ZuoRAT has been detected by security researchers at Lumen Black Lotus Labs. The team that discovered the new threat believes it has been infecting a wide range of home and small office (SOHO) routers across Europe and North America with malware that can take control of devices running Windows, Linux, or macOS.
This has been going on since at least December 2020, and ZuoRAT is believed to be part of a much broader malware campaign that took advantage of the sudden and massive shift to remote work and study. The malicious actors chose to attack consumer-grade routers with exploitable firmware that is rarely monitored and patched, if ever. Black Lotus Labs researchers claim they’ve identified at least 80 targets so far, and found ZuoRAT to be surprisingly sophisticated for malware that’s intended to compromise SOHO routers sold by Asus, Netgear, DrayTek, and Cisco. The malware campaign leverages no less than four different pieces of malicious code, and ZuoRAT is worryingly similar to other custom-built malware written for the MIPS architecture such as the one behind the infamous Mirai botnet of yesteryear. Once ZuoRAT makes its way into a router, the malicious actors can use DNS and HTTP hijacking to install additional pieces of malware dubbed Beacon and GoBeacon, as well as the widely-used Cobalt Strike hacking tool.
Researchers explained the campaign is aimed at several US and Western European organizations and the attackers have gone to extreme lengths to hide their activity through obfuscated, multistage C2 infrastructure. And while it’s only a suspicion at this point, the analyzed data indicates the attackers may be operating in the Chinese province of Xiancheng using data center infrastructure from Tencent and Alibaba’s Yuque collaboration tool. The good news is that router malware like ZuoRAT can be flushed out with a simple reboot of the infected device since that would wipe its files which reside in a temporary folder. A factory reset would be even better, but if the infected devices also contain the other pieces of malware they won’t be as easy to remove. Security analysts and system administrators can find more details about the technical aspects of the ZuoRAT campaign, including indicators of compromise and possible prevention tools, by reading the full report and consulting the Black Lotus Labs GitHub.