ZuoRAT is a new malware designed to attack small office/home office routers. This malware is particularly dangerous because it can allow attackers to gain access to the devices on the LAN, as well as any data that is passing through the router.
What is ZuoRAT malware?
ZuoRAT malware is a Remote Access Trojan (RAT) that targets small office and home office routers (SOHO routers). The code of ZuoRAT malware is a highly modified version of the Mirai botnet (that got exposed in 2016). On June 29, 2022, researchers of Black Lotus Labs (part of Lumen Technologies) revealed the existence of this malware in various SOHO routers of companies like Cisco, Netgear, etc., (predominantly on North American and European networks).
The researchers named this Trojan after the Chinese term meaning "left." The nomenclature owes to the filename the attackers used, "asdf.a." As per the researchers, this name indicates "Keyboard walking of the Left-hand home keys."
What are SOHO routers?
SOHO stands for small office/home office. These are special router categories designed for home office or small office purposes. They mainly route data from a Local Area Network (LAN) connection to another network connection (usually larger than LAN). They cater to the same functionalities as home broadband routers.
How ZuoRAT Malware affects network systems
According to the researchers, this novel multi-stage malware has been active since April 2020. ZuoRAT malware exploits known vulnerabilities of several manufacturers and vendors like Cisco, ASUS, DrayTek, and NETGEAR.
Using this malware, threat actors exploited unpatched vulnerabilities, stealing sensitive information from data packets from infected routers. Although patches for these vulnerabilities and threats exist, not many SOHO entities applied them.
ZuoRAT fraudulently accesses the local LAN and grabs data packets transmitted through SOHO routers. It then launches a man-in-the-middle attack by hijacking HTTPS and DNS. Researchers of Lumen Technologies (through this blog) said these RATs do not just hop SOHO devices. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” they speculated.
Researchers said the ZuoRAT spread due to a lack of awareness. According to them, the attackers use the command-and-control (C&C) technique to communicate with the remote Trojan programs. According to the researchers of Black Lotus Labs, "To avoid distrust, they passed the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Then, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication for further avoiding detection. And finally, they rotate proxy routers periodically to avoid detection,” they said.
Researchers also highlighted the fact that this RAT is a multi-stage virus. The first exploitation stage helps attackers glean information about the infected device and the LAN it is hooked on to.
In the next phase, ZuoRAT malware captured data packets going to and from that network.
The attacker gets the power to manage the malware using command-and-control (C&C). From this remote accessibility, attackers can send auxiliary commands to the router through the malware. The threat actor can choose to leverage or download additional modules into the infected router.
"We observed (approx.) 2,500 embedded functions, which included modules ranging from USB enumeration to password spraying & code injection," researchers wrote. It can also hide its activities from detection.
What to do if you suspect a ZuoRAT malware attack
If you suspect your router has been compromised, a basic restart of your router can break the initial exploitation or regular flow of the malware's working.
To recover fully, researchers recommend performing a factory reset to clear the infected devices.
To prevent your router from further ZuoRAT malware attacks, upgrade the firmware with the latest security patches associated with the routers.
For more information related to network device security, contact Packetlabs.