Black Lotus Labs recently caught wind of a sophisticated effort that could have been run by a state-sponsored group. ZuoRAT, a multistage RAT created specifically for small office/home office (SOHO) routers, is being distributed as part of the campaign.
Operational data for ZuoRAT
An very focused effort targeting North American and European organisations is represented by ZuoRAT and the associated activities.
The campaign targets a variety of SOHO routers made by NETGEAR, ASUS, Cisco, and DrayTek.
With the aid of an authentication bypass exploit script, the malware is installed on a router after exploiting known vulnerabilities (CVE-2020-26878 and, in certain circumstances, CVE-2020-26879).
This effort makes use of third-party infrastructure situated in China, such as the Tencent platform and Alibaba’s Yuque platform, for covert command and control infrastructure.
It looks like ZuoRAT is a significantly altered variant of the Mirai botnet. Auto-run upon execution (the fundamental functionality) and explicitly integrated exportable routines make up its features (auxiliary commands).
The basic functionality component enables packet capture of network traffic, gathers data about the router and LAN, and transmits the data back to the C2.
The auxiliary commands concentrate on the LAN enumeration capability, which gives the actor more targeting data for the LAN environment, ensuing DNS and HTTP hijacking capabilities, persistence and agent maintenance, and attack techniques that are typically challenging for defenders to identify.
The Windows loader was used by the ZuoRAT malware campaign to get a remote resource and run it on the host computer. It was also utilised to load one of the second-stage agents that was completely operational.
The ZuoRAT capabilities suggest to a highly skilled player who may have been hiding out on the periphery of targeted networks for years. Organizations should make sure routers are patched and that they are using the most recent software versions as mitigating measures.