June 28, 2022
CTIG Coverage of Black Lotus Labs’ ZuoRAT Report
June 28, 2022
Note: This blog post discusses active research by third parties into an ongoing threat. This information should be considered preliminary and will be updated as research continues.
On June 28, 2022, the threat intelligence section of Lumen’s Black Lotus Labs posted research into an ongoing and highly targeted campaign against North American and Western European organizations, which leverages the massive increase in “Work From Home” as a result of the changing professional landscape brought about by COVID-19. As workers have transitioned to remote status for extended periods, the attack surface for an organization increases to include residential offices. This campaign focuses on exploiting Small Office/Home Office (SOHO) routers, the vast majority of which exist unpatched or monitored with any frequency. Black Lotus has identified a Remote Access Trojan (RAT) named ZuoRAT, which is designed to use SOHO routers to access additional systems on the LAN by capturing information transmitted by the infected device and hijacking communications throughout the network.
With telemetry stretching back to December of 2020, ZuoRAT has been hiding in plain sight; using router-to-router communication, and the rotation of compromised proxies, to avoid detection. This RAT can cause Windows infection on computers behind the SOHO router. The malicious Windows code being run is observed using Chinese-based third-party infrastructure like Tencent and Yuque, to manage its Command and Control (C2) infrastructure and host additional RATs.
Discovery of “ZuoRAT”
Using telemetry from the Lumen global IP backbone, Black Lotus discovered several infected routers acting as C2 proxy nodes. While not unheard of, attacking SOHO routers is not widely reported. As Black Lotus determined these were also capable of a “person-in-the-middle” attack, it became clear that this was part of a sophisticated campaign by a high-level adversary. Through analysis of a sample, they discovered functionality embedded within the router sample that would allow the threat actor to pivot, or move laterally, from the router workstations on the impacted LAN. Once on the workstation, they deployed a loader.functionality embedded within the router sample that would allow the threat actor to pivot, or move laterally, from the router workstations on the impacted LAN. Once on the workstation, they deployed a loader that then made contact with a remote resource to run on the host machine. Depending on the environment, this process can call second-stage agents such as CBeacon, GoBeacon, and the Cobalt Strike framework.
The campaign elements appear as follows:
This campaign affected SOHO routers from the following vendors:
- Model J20 specifically via CVE-2020-26878 and CVE-2020-26879
- A Windows binary built from Python collected credentials and install ZuoRAT
- A copy of the tool can be found here: ruckus151021.py.
Black Lotus has determined this RAT is sophisticated and has advanced functionality. It is designed with sandbox detection capability, the ability to harvest credentials from device memory, and to check for other instances of itself, to operate with greater discretion. Among the additional features are advanced LAN enumeration, DNS and HTTP hijacking, components to enable persistence, and agent maintenance, all the way through to deletion of the exploit from device memory.
Guidance for ZuoRAT
An extensive list of IOCs from known C2s to observed shellcode loader scripts, exploitation scripts, and router samples can be found here on the Black Lotus GitHub page. This was updated on 27 June and will be maintained going forward.
Black Lotus has shared its findings and will update its research with the community as more becomes available. Until then, recommended actions are:
- Network defenders: Use IoCs outlined in the report to monitor for the Windows loader and its modules, as well as connections to any suspicious infrastructure.
- Consumers with SOHO routers: Users should follow best practices of regularly rebooting routers and installing security updates and patches. Users should leverage properly configured and updated EDR solutions on hosts and regularly update software consistent with vendor patches where applicable.
- Businesses consider comprehensive Secure Access Service Edge (SASE) or similar solutions to bolster their security posture and enable robust detection of network-based communications.
CTIGs look into the future
While the campaign seems to have been used against selective targets to this point, it should be pointed out that it may be effective against a wide variety of IoT devices and not just routers. ZuoRAT is written for MIPS architecture, and devices that use this can be found from Playstations to Tesla cars, not just home gateways and routers.
The Cybrary Threat Intelligence Group (CTIG) will continue to collaborate with the security research community to provide timely information on this threat as it evolves.
Stay up to date on CTIG news by following Cybrary and our Head of CTIG, David Maynor, on social media.