Black Lotus Labs discovered a remote access trojan and sophisticated campaign that aligns with nation-state activity. #pressrelease

June 28, 2022

2 Min Read

DENVER – Black Lotus Labs, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), today announced that it discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices. It is part of a complex campaign that went undetected for nearly two years. The tactics, techniques and procedures (TTPs) that analysts observed are highly sophisticated and bear the markings of what is likely a nation-state threat actor.

When the pandemic forced offices to close, the rapid shift to remote work expanded security concerns as millions of employees began accessing corporate networks from home. This gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers – which are widely used but rarely monitored or patched – to collect data in transit, hijack connections, and compromise devices in adjacent networks.

Overview and Analysis of Malware Campaign

  • Black Lotus Labs recently discovered the highly targeted, sophisticated campaign which has been active in North America and Europe for nearly two years beginning in October 2020.

  • The campaign included ZuoRAT – a multi-stage RAT developed for SOHO routers leveraging known vulnerabilities – which allowed the threat actor to enumerate the adjacent home network, collect data in transit, and hijack home users' DNS/HTTP internet traffic. The actor was able to remain undetected by living on devices rarely monitored, and by hijacking DNS and HTTP traffic.

  • The hijacking capability allowed the threat actor to pivot from the router to workstations in the network where they likely deployed two additional custom-built RATs – one of which allowed for cross-platform functionality (i.e. Windows, Linux and MacOs). These additional RATs allowed the actor to upload/download files, run commands and persist on the workstation.

  • Black Lotus Labs also identified two distinct sets of command-and-control (C2) infrastructure.

  • The first was developed for the custom workstation RAT and relied upon third-party services from Chinese companies. The second set of C2s was developed for the routers.

  • Using proprietary telemetry from the Lumen global IP backbone, Black Lotus Labs identified that, once infected, the routers communicated with other compromised routers to further obfuscate malicious activity.

Read the full press release here.

Lumen

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.
Sign me up

You May Also Like

Latest News

AT&T Internet Air unboxing, including fixed wireless access point.
Fixed Wireless Access (FWA)
AT&T doubles 'Internet Air' subscriber tally in Q1
AT&T doubles 'Internet Air' subscriber tally in Q1

Apr 24, 2024

Verizon retail store in New York City
Operations
Verizon's second line strategy surprises
Verizon's second line strategy surprises

Apr 24, 2024

TikTok app icon on a smartphone screen.
Security
TikTok ban breaks new ground for US tech controls
TikTok ban breaks new ground for US tech controls

Apr 24, 2024

AT&T CEO John Stankey
Security
AT&T: What outage?
AT&T: What outage?

Apr 24, 2024

Upcoming Webinars
More Webinars

Popular whitepapers in 5G

thumbnail
5G
Operator transitions to 5G SA core decline YoY in 2023 – Counterpoint ResearchOperator transitions to 5G SA core decline YoY in 2023 – Counterpoint Research
Feb 29, 2024
3 Min Read
thumbnail
5G
5G Network Strategies Operator Survey: Powering 5G SA Networks5G Network Strategies Operator Survey: Powering 5G SA Networks
Feb 23, 2024
1 Min Read
thumbnail
5G
Apple, Samsung still tops in 5G smartphones – Counterpoint ResearchApple, Samsung still tops in 5G smartphones – Counterpoint Research
Feb 23, 2024
2 Min Read
May 21 - May 23, 2024
Join us for an immersive experience where the future of North American telecom industry unfolds in 2024.
LEARN MORE

Featured Videos

Sponsored Content
Heavy Reading analysts get ready for Network X Americas
Heavy Reading analysts get ready for Network X Americas
5G
Partner Content - How China Broadnet Built Its 5G Core Network – And How It’s Approaching 5.5G Core Network
Partner Content - How China Broadnet Built Its 5G Core Network – And How It’s Approaching 5.5G Core Network
Digital Transformation
Partner Content – What are the success factors for Ethio Telecom’s rapid digital transformation?
Partner Content – What are the success factors for Ethio Telecom’s rapid digital transformation?