ZuoRAT — Wazuh Detection Rules

Intro

NOTE: ZuoRAT description taken from the Lumen blog post.

ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules). Several infected routers act as proxy C2 nodes.

The threat intel platform OpenCTI includes all the entities, observables and relationships part of this attack chain:

OpenCTI — ZuoRAT IoCs and Relationships

Attack Phases.

SOHO Routers:

The first component was designed to glean information about the router and LAN, enable packet capture of network traffic and send the information back to the C2.

Upon execution, the agent gathered host-based information by running the uname command to send to the C2. It also attempted to gather the router’s public IP address. ZuoRAT would connect to the C2 and listen on port 48101.

ZuoRAT then used a scan function designed to survey the adjacent LAN’s internal IP addresses. Specifically, it scanned for a hardcoded list of open ports, including: 21, 22, 23, 80, 135, 139, 443, 445, 808, 902, 912, 1723, 2323, 3306, 5222, 5269, 5280, 5357, 8080, 8443 and 9001.

Next, ZuoRAT sent the reconnaissance information to the previously supplied C2.

Lastly, functions included in the code would allow the actor to collect network traffic on UDP, DNS and some TCP connections where data might be sent in the clear. A function was then initialized to collect TCP connections over the following specified ports: 20, 21, 80, 8080, 443 and 8443. This could allow the threat actor to obtain any credential passed in the clear, and gain insight into the browsing activity performed by the end user behind the compromised router.

DNS and HTTP Hijacking:

The code deployed in the router would look at the DNS requests that were being transmitted through the router and a custom DNS parser, providing statistics on the types of domains being requested by the victim. Other functions allowed the actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule.

For HTTP, the code would redirect a TCP-based connection that transited the device. It hijacked the process so that it could match the traffic pattern, which consisted of parameters for the following fields:

  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Protocol
  • URL

Pivot from compromised router to Windows hosts in the LAN

The Windows loader reached out to obtain a remote resource and then ran it on the host machine. It was used to load one of the following fully functional second-stage agents, depending on the environment:

  • CBeacon — A custom developed RAT written in C++, which had the ability to upload and download files, run arbitrary commands and persist on the infected machine via a component object model (COM) hijacking method.
  • GoBeacon — A custom-developed RAT written in Go. This trojan had almost the same functionality as CBeacon, but also allowed for cross-compiling on Linux and MacOS devices.
  • Cobalt Strike — We observed that in some cases this readily available remote access framework was used in lieu of either CBeacon or GoBeacon.

The list of Mitre TTPs can also be found in the OpenCTI report:

OpenCTI — ZuoRAT Correlation Matrix

Windows-based shellcodes, beacons and detection rules

Shellcode

The loader file was written in C++ and used to load a more robust RAT onto the infected workstation. The shellcode loader exhibited an interesting evasion technique: it masqueraded as a legitimate program by using a real Tencent certificate. While the binary certificate showed as being invalid in this case, this technique lowered the detection rate.

Certificate Issuer (Vendor): Tencent Technology(Shenzhen) Company Limited

The shellcode loader allocated space in memory and reached out to an embedded C2. Interestingly, the loader used a hard-coded Mac user-agent string, despite the samples themselves being compiled for Windows machines:

Mozilla/5.0 (Macintosh Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Detection Rule (Based on Sysmon Event 1):

<rule id="xxxxxx" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.company">^Tencent Technology(Shenzhen) Company Limited$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - ZuoRAT Detection.</description>
<mitre>
<id>T1204</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly</group>
</rule>

CBeacon

CBeacon is a fully functional, custom-developed RAT with a low detection rate that allows an actor to persist on an infected workstation and exhibits ties to the Windows loader file. The agent is written in C++.

One function, referenced in the code as UBCmdAutoActivist, displayed a highly sophisticated persistence technique leveraging two embedded DLLs. The first DLL copied the original CBeacon file to the APPData directory and renamed it OneDriverUpdaterService.exe then hijacked the “InprocServer32 component object model (COM)” as described in web forums in 2018 and 2020. The program then overwrote the DLL host to enable execution upon Windows startup. (The pop-up window it opened indicates the functionality was copied from a PoC.)

Detection Rules (Based on Sysmon Event 7):

<rule id="xxxxx" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.image">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 7: Image loaded by $(win.eventdata.image) - ZuoRAT Detection.</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly,</group>
</rule>
<rule id="xxxxx" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.imageLoaded">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 7: Image loaded by $(win.eventdata.image) - ZuoRAT Detection.</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly,</group>
</rule>

The second DLL created a remote thread to inject into the explorer.exe process before loading the first DLL, then second DLL executed the first DLL via the command line. Depending on the number of command line arguments, the second DLL would either take the command line argument as a filename and delete itself or run without executing the UBCmdAutoActivist function.

Detection Rule (Based on Sysmon Event 1):

<rule id="xxxxxx" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.image">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - ZuoRAT Detection.</description>
<mitre>
<id>T1204</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly</group>
</rule>

CobaltStrike:

In addition to CBeacon and GoBeacon, Black Lotus Labs observed a Cobalt Strike sample related to this activity cluster. This sample was compiled on April 8, 2022, and communicated with a hard-coded IP address, 110.42.185[.]232:8081/kGZQ, which is associated with Tencent cloud. This sample was correlated to the known activity cluster due to the commonalities found in its PDB path.

Cobalt Strike PDB path:
D:\c-code\c++\shellcode\sxianchengcopy–kehu\x64\Release\sc2.pdb

One of the Windows shellcode loader PDB paths:
D:\c-code\c++\shellcode\sxianchengcopy\Release\sc2.pdb

Detection: See previous blog entry.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).