Security News > 2022 > June > ZuoRAT Can Take Over Widely Used SOHO Routers
The ability to not only hop on a LAN from a SOHO device and then stage further attacks suggests that the RAT may be the work of a state-sponsored actor, they noted in a blog post published Wednesday.
The level of evasion that threat actors use to cover up communication with command-and-control in the attacks "Cannot be overstated" and also points to ZuoRAT being the work of professionals, they said.
Researchers named the trojan after the the Chinese word for "Left" because of the file name used by the threat actors, "Asdf.a." The name "Suggests keyboard walking of the lefthand home keys," researchers wrote.
Threat actors deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out and many workers were ordered to work from home, which opened up a host of security threats, they said.
Specifically, threat actors used a Python-compiled Windows portable executable file that referenced a proof of concept called ruckus151021.
Due to the capabilities and behavior demonstrated by ZuoRAT, it's highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices, but has been " living undetected on the edge of targeted networks for years," researchers said.