Security researchers have uncovered a likely state-sponsored information-stealing operation targeting SOHO workers over the past two years.
Coinciding with the shift to mass remote working during the pandemic, the operation was focused on accessing corporate resources via less well-protected home routers, according to Lumen Technologies.
It targeted at least scores of SOHO devices from manufacturers including Asus, Cisco, DrayTek and Netgear in mainly North America and Europe.
It did this via three key stages:
- A first-stage RAT, dubbed “ZuoRAT,” developed for SOHO routers which exploited known vulnerabilities to enumerate the home network, collect data in transit, hijack home DNS/HTTP internet traffic and pivot to networked workstations
- A simple loader for Windows machines compiled in C++, which deployed three additional Trojans
- Three Trojans – Cbeacon, GoBeacon and Cobalt Strike – worked to download and upload files, hijack network communications and carry out process injection, among other things. The first two were custom made
The researchers also discovered two sets of command-and-control (C2) infrastructure, one developed for the routers and another for the workstation RAT, which relied on third-party services from Chinese companies.
Lumen Technologies added that once infected, the routers communicated with other compromised devices to further hide their malicious activity.
“The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years,” the vendor argued.
Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, warned that the campaign might be much broader than the small number of devices known to have been infected.
“Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research,” he added. “To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available.”