ZuoRAT Malware Hijacks Home Office Routers to Spy on Targeted Networks


A never-before-seen remote access trojan called ZuoRAT selected small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks.

The malware “allows the actor to run in the local network and access additional systems on the LAN by hijacking network communications in order to maintain an undetected foothold,” Lumen Black Lotus Labs researchers said in a statement. a report shared with The Hacker News.

The covert operation, which targeted routers from ASUS, Cisco, DrayTek and NETGEAR, is said to have started in early 2020 during the early months of the COVID-19 pandemic and effectively stayed under the radar for more than two years.

“Consumers and remote workers routinely use SOHO routers, but these devices are rarely monitored or patched, making them one of the weakest points of a network’s perimeter,” the company’s threat intelligence team said.

The first access to the routers is obtained by scanning for known unpatched errors to load the remote access tool, access the network and drop a next-stage shellcode loader used to run Cobalt Strike and custom backdoors such as CBeacon and GoBeacon capable of executing arbitrary commands.

In addition to enabling deep exploration of target networks, collecting traffic and hijacking network communications, the malware has been described as a heavily modified version of the Mirai botnet, the source code of which was leaked in October 2016.

ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets sent through the infected device, and perform person-in-the-middle (DNS – and HTTPS hijacking based on predefined rules),” the researchers said.

Also included is a feature to harvest TCP connections over ports 21 and 8443, which are associated with FTP and web browsing, potentially allowing the adversary to monitor the Internet activity of the users behind the compromised router.

Other capabilities of ZuoRAT allow the attackers to monitor DNS and HTTPS traffic with the aim of hijacking the requests and redirecting the victims to malicious domains using preset rules that are generated and stored in temporary directories in a attempt to resist forensic analysis.

That’s not the only step the hackers are taking to cover up their activities, as the attacks rely on an obfuscated, multi-stage C2 infrastructure that uses a virtual private server to drop the initial RAT exploit and use the compromised routers themselves as using proxy C2 servers .

To further avoid detection, the staging server has been spotted hosting seemingly innocuous content, in one case mimicking a website called “muhsinlar.net”, a propaganda portal founded for the Turkestan Islamic Party (TIP), a Uyghur extremist outfit hailing from China.

The identity of the hostile collective behind the campaign remains unknown, although an analysis of the artifacts has revealed possible references to China’s Xiancheng province and the use of Alibaba’s Yuque and Tencent for command-and-control (C2).

The elaborate and evasive nature of the operation coupled with the tactics used in the attacks to remain undercover point to possible nation-state activity, Black Lotus Labs noted.

The capabilities demonstrated in this campaign: access SOHO devices of various makes and models, collect host and LAN information to inform targeting, sample and hijack network communications to potentially gain permanent access to devices in the country, and intentionally hiding C2 infrastructure by using multi-stage silo-router-to-router communication – indicates a highly sophisticated actor,” the researchers concluded.