Register now for better personalized quote!

This sophisticated malware is targeting routers to break into networks

Jun, 29, 2022 Hi-network.com
Image: Shutterstock

A newly discovered remote access trojan (RAT) called ZuoRAT has targeted remote workers by exploiting flaws in often unpatched small office/home office (SOHO) routers. 

Researchers at Lumen's Black Lotus Labs threat intelligence unit report that ZuoRAT is part of a highly targeted, sophisticated campaign that has been targeting workers across North America and Europe for nearly two years, beginning in October 2020. 

Recommends

The best cybersecurity certifications

These certifications can help you enter an industry with a high demand for skilled staff.

Read now

"The tactics, techniques and procedures (TTPs) that analysts observed are highly sophisticated and bear the markings of what is likely a nation-state threat actor," Lumen said.

SEE:Ransomware attacks: This is the data that cyber criminals really want to steal

Lumen explains that, when the pandemic sent workers home in March 2020, threat actors were given a fresh opportunity to target SOHO routers -- or edge network devices -- that are rarely monitored or patched by corporate network admins and which fall outside traditional network perimeters. 

The firm believes the malware's capabilities suggest it was the work of a highly sophisticated actor. 

These capabilities included: "gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications."

Lumen concedes it only has a narrow view of the actor's broader capabilities but its researchers assess with "high confidence" that the elements it is tracking are part of a broader campaign. 

Also, Lumen estimates this campaign has impacted at least 80 targets, but it says likely many more have been affected.

Black Lotus Labs notes that it observed telemetry indicating infections stemming from numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and Netgear.  

Elements of the campaign the researchers have gleaned to date include the ZuoRAT for SOHO routers, a loader for Windows compiled in C++, and three agents that allow device enumeration, downloading and uploading files, network (DNS/HTTP) communication hijacking, and process injection. 

The three agents included:

  • CBeacon -A custom developed RAT written in C++, which had the ability to upload and download files, run arbitrary commands and persist on the infected machine via a component object model (COM) hijacking method.
  • GoBeacon -A custom-developed RAT written in Go. This trojan had almost the same functionality as CBeacon, but also allowed for cross-compiling on Linux and MacOS devices.
  • Cobalt Strike -In some cases, this readily available remote access framework was used in lieu of either CBeacon or GoBeacon.    

"Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. 

"Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research. This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available." 

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.