Security News > 2022 > June > New ZuoRAT malware targets SOHO routers in North America, Europe
A newly discovered multistage remote access trojan dubbed ZuoRAT has been used to target remote workers via small office/home office routers across North America and Europe undetected since 2020.
The start of this campaign roughly lines up with a quick shift to remote work after the start of the COVID-19 pandemic which drastically increased the number of SOHO routers used by employees to access corporate assets from home.
"This gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers - which are widely used but rarely monitored or patched - to collect data in transit, hijack connections, and compromise devices in adjacent networks," Lumen says.
Once deployed on a router with the help of an authentication bypass exploit script, the multi-stage ZuoRAT malware provided the attackers with in-depth network reconnaissance capabilities and traffic collection via passive network sniffing.
"The capabilities demonstrated in this campaign - gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multi-stage siloed router to router communications - points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," the researchers added.
The additional malware deployed onto systems within victims' networks provided the threat actors with the ability to download and upload files, run arbitrary commands, hijack network traffic, inject new processes, and gain persistence on compromised devices.