Endpoint/Device Security, Malware, Threat Management

ZuoRAT targets home-office routers in Europe and North America

A sophisticated campaign targeting small office/home office routers, dubbed ZuoRAT, was identified by Black Lotus Labs this week. Pictured: An Air Force telecommunications technician checks the connection of a telephone network cable Oct. 6, 2021, at Travis Air Force Base, Calif. (Air Force)

In a byproduct of the work-from-home era, researchers this week reported that they found a sophisticated campaign that leverages small office/home office (SOHO) routers from Asus, Cisco, and Netgear that are targeting home networks in North America and Europe.

In a blog post, Black Lotus Labs, the threat intel arm of Lumen Technologies, said they identified a remote access trojan (RAT) — dubbed ZuoRAT — developed for SOHO devices that lets the actor gain access into the local network and gain access to additional systems on a corporate LAN by hijacking network communications, while maintaining an undetected foothold.

The researchers said they named it ZuoRAT based on the Chinese word for "left," after the actor’s file name, “asdf.a”, which suggests keyboard walking of the lefthand home keys.

While compromising SOHO routers to gain access to a LAN is not a novel technique, such attacks are seldom reported. The researchers added that reports of person-in-the-middle-style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrates a high level of sophistication by a threat actor, indicating that this campaign was potentially done by a state-sponsored organization, according to the researchers.

Routers or SOHO devices are juicy targets for threat actors because of the flexibility in the control they offer, said John Hammond, senior security researcher at Huntress. Hammond said more often than not, router gateways are not monitored or audited with the same scrutiny as typical workstation or server endpoints. After compromising a router, Hammond said the adversary may remain undetected, potentially sniff out local network traffic, or reflash the firmware for an even stronger level of persistence.

“Honestly, you don't often see SOHO attacks in the spotlight — it takes a sophisticated adversary to craft payloads and malware for embedded systems in low-level languages, so it’s no surprise to see Black Lotus Labs speculate ZuoRAT could be from a well-resourced state-sponsored actor,” Hammond said.

Hammond added that in in their research, Black Lotus Labs said ZuroRAT takes advantage of vulnerabilities that are a bit too common in SOHO devices: logic flaws for authentication bypasses and unsanitized input for code injection. Hammond said too often, routers like these are not configured by the end-user to change default credentials or even apply patches and updates.

“The most striking detail to me is that if ZuoRAT could not determine a public IP address, it would not detonate and simply remove itself from the target,” Hammond said. “This is a defense evasion technique very common for traditional endpoint malware to detect if it’s being run inside of a sandbox — but it isn't something commonly done for router-based malware.”

Michael Skelton, senior director of security operations at Bugcrowd, said SOHO routers tend to lack the security features of more commercial offerings, and typically don't undergo in-depth configuration reviews, or the updating of default settings.

“Speculations is that ZuoRAT is based on the Mirai malware, but it’s a heavily modified version,” Skelton said. “According to Black Lotus Labs, the malware grants the threat actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold. As SOHO routers would typically be used in less secure environments that aren't as actively monitored as commercial networks, this presents a softer attack surface that attackers are more likely to go undetected within, and gain a deeper foothold within, than they would when targeting more commercial offerings.”

John Bambenek, principal threat hunter at Netenrich, said SOHO routers are often bought by cost-conscious users. They lack robust security features and no one actively administers them so they never get patched or hardened, said Bambenek.

“As long as the internet works, the device gathers dust and remains forgotten,” Bambenek said.  “ZuoRAT’s targeting of SOHO routers makes it more threatening than anything else. Its feature set is similar to those you’d use in an advanced attack, however, it is built for devices that likely have little in the way of defenses or detection capability. So, what can SOHO users to do bolster network and router security? On a regular basis, make sure these devices are updated and have no services listening on the external network, particularly administration portals.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.