Security News > 2022 > June > ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks

A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office routers as part of a sophisticated campaign targeting North American and European networks.

The malware "Grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold," researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News.

The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years.

Initial access to the routers is obtained by scanning for known unpatched flaws to load the remote access tool, using it gain access to the network and drop a next-stage shellcode loader that's used to deliver Cobalt Strike and custom backdoors such as CBeacon and GoBeacon that are capable of running arbitrary commands.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks," the researchers said.

"The capabilities demonstrated in this campaign - gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications - points to a highly sophisticated actor," the researchers concluded.

News URL

https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html