ZuoRAT is a remote access trojan (RAT) that attacks small office/home office (SOHO) routers.

On June 29, 2022, Black Lotus Labs, the threat intelligence arm of Lumen Technologies, revealed the existence of this vulnerability. The code appears to be a heavily modified version of the code behind the Mirai botnet. The source code for Mirai was released in 2016.

According to the security researchers, the threat targeted North America and Europe, and may have remained undetected for two years. The attacks started in October 2020 and targeted known vulnerabilities in routers from ASUS, Cisco, DrayTek, and NETGEAR. Attackers were then able to identify more devices on the network and move laterally to additional systems. Given the timing, it is likely that the attackers took advantage of the rapid shift to work-from-home brought upon by the COVID-19 pandemic.

How are users infected?

According to Black Lotus Labs, “ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).”

The ZuoRAT attack begins by exploiting known vulnerabilities CVE-2020-26878 and CVE-2020-26879 using a Python-compiled Windows Portable Executable file to target SOHO routers. However, the researchers have only been able to gain access to the exploit script for JCG-Q20 model routers. Therefore, it’s possible that there are additional exploits not yet known. The malware queries several web services to gain the router’s public IP address. If it does not obtain the public IP address, then ZuoRAT deletes itself.

It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, device administrators often don’t apply the patches.

Who is behind the attack?

While the threat technique of compromising SOHO routers as an attack vector to gain access to an adjacent LAN is not unique, it is not frequently reported. According to the researchers, “reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization.”

Conclusion

While there have always been many ways for malicious actors to target networks, there is only a handful of router-based malware. Black Lotus Labs notes that they “hypothesize [the attack] has been living undetected on the edge of targeted networks for years.”

Therefore, it is critical that users – and particularly individuals and small businesses – protect their traffic at the point of entry: their router. Endpoint security simply doesn’t protect connected devices. Additionally, most home and small business networks are too small, and administrators are not sophisticated enough, to use additional mitigation measures such as micro-segmentation.

To protect their customers, many communication service providers are turning to network-based security which stops the attacks on the network level before they even reach their customers’ devices.

Of the Indicators of Compromise related to this threat, most are IP addresses. Therefore, DNS-based security solutions do not provide sufficient protection as they do not block IP addresses. It is critical to not rely on DNS-based security for complete protection. The good news is that customers using Allot Secure, including NetworkSecure and the router-based HomeSecure and BusinessSecure are protected from this attack.