Threat Watch

APT Using SOHO Routers as Initial Compromise in Stealth Attack

Black Lotus Labs released research for a new attack campaign that went undiscovered for almost two years. The campaign appears to be highly sophisticated and is believed to be state-sponsored. The targets of the attack are Small Office/ Home Office (SOHO) routers that are being infected using known vulnerabilities. To begin the attack, a MIPS file compiled for SOHO routers is pushed to the router and malware named ZuoRAT is designed to collect information about the devices. Upon infection, the malware enumerates the hosts and internal LAN. It has the capability to capture network packets being transmitted over the infected device and perform a man-in-the-middle attack such as DNS and HTTP hijacking based on a predefined ruleset. Upon execution, the malware tried to figure out the public IP of the router by using various online services, if none answer, the malware will delete itself. The next step in the attack is to access a workstation. This is done by deploying a Windows loader that is used to download and execute one of three different trojans: CBeacon, GoBeacon, or CobaltStrike. ZuoRAT appears to affect multiple manufactures of SOHO routers including CISCO, Netgear, ASUS, and DrayTrek.


These attacks appear to be the work of a state-sponsored APT (Advanced Persistent Threat). Upon analysis it appears that the threat actors used Chinese symbols in their work, but also used Arabic writing when uploading to one of the infected devices. This was likely done to make attribution more difficult. The work of the threat actor falls in line with cyberespionage attacks, and they do not appear to be financially motivated. To protect themselves, SOHO users should regularly install firmware updates and patch security vulnerabilities. Multi-Factor Authentication (MFA) should also be used on all devices so that even with compromised credentials, a threat actor cannot just log into a SOHO router.