Black Lotus Labs released research for a new attack campaign that went undiscovered for almost two years. The campaign appears to be highly sophisticated and is believed to be state-sponsored. The targets of the attack are Small Office/ Home Office (SOHO) routers that are being infected using known vulnerabilities. To begin the attack, a MIPS file compiled for SOHO routers is pushed to the router and malware named ZuoRAT is designed to collect information about the devices. Upon infection, the malware enumerates the hosts and internal LAN. It has the capability to capture network packets being transmitted over the infected device and perform a man-in-the-middle attack such as DNS and HTTP hijacking based on a predefined ruleset. Upon execution, the malware tried to figure out the public IP of the router by using various online services, if none answer, the malware will delete itself. The next step in the attack is to access a workstation. This is done by deploying a Windows loader that is used to download and execute one of three different trojans: CBeacon, GoBeacon, or CobaltStrike. ZuoRAT appears to affect multiple manufactures of SOHO routers including CISCO, Netgear, ASUS, and DrayTrek.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is