Security News > 2022 > June > Researchers uncover ZuoRAT malware targeting home-office routers

Black Lotus Labs discovered a new remote access trojan called ZuoRAT, which targets remote workers via their small office/home office devices, including models from ASUS, Cisco, DrayTek and NETGEAR. Overview of campaign elements.

The campaign included ZuoRAT - a multi-stage RAT developed for SOHO routers leveraging known vulnerabilities - which allowed the threat actor to enumerate the adjacent home network, collect data in transit, and hijack home users' DNS/HTTP internet traffic.

The hijacking capability allowed the threat actor to pivot from the router to workstations in the network where they likely deployed two additional custom-built RATs - one of which allowed for cross-platform functionality.

The second set of C2s was developed for the routers.

Using proprietary telemetry, researchers identified that, once infected, the routers communicated with other compromised routers to further obfuscate malicious activity.

"Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve," said Mark Dehus, director of threat intelligence for Black Lotus Labs.

News URL

https://www.helpnetsecurity.com/2022/06/28/zuorat-malware-routers/