What You Need to Know About ZuoRAT Malware

Security researchers recently identified sophisticated malware that’s been infecting small office and home office (SOHO) routers across North America and Europe. This malware, dubbed ZuoRAT, appears to be a modified variant of the Mirai botnet malware. However, unlike Mirai, which used compromised devices to conduct massive distributed denial-of-service (DDoS) attacks, ZuoRAT is designed to establish a foothold in local networks and conduct surveillance undetected.

How ZuoRAT Works

ZuoRAT appears to target known vulnerabilities in consumer-grade routers from ASUS, Cisco, DrayTek, Netgear and potentially other brands to gain access to SOHO networks. Once inside, the attacker can enumerate all devices connected the network, then use DNS or HTTP hijacking to install additional malware on those devices. Attackers can remain undetected on poorly monitored network devices, while intercepting network traffic and performing reconnaissance for further attacks. Over 2,500 unique functions have been identified in the malware, enabling capabilities including password spraying, USB enumeration and code injection.

Soft Targets

Researchers suspect that the ZuoRAT attack campaign stared in October 2020, remaining undetected for nearly two years. SOHO routers typically have fewer security features than enterprise routers, are less likely to be patched or updated and are rarely subjected to the comprehensive configuration reviews that many businesses perform on more commercial devices. Many home users don’t even bother to change these devices’ default login credentials. Due to these characteristics, SOHO routers represent “soft targets” for attackers to exploit.

The timing of the campaign suggests that attackers were capitalizing on the rapid shift to remote work at the onset of the pandemic – and the myriad attendant risks.

Protecting Yourself from ZuoRAT

The ZuoRAT attack campaign is still ongoing, so, if you’re a remote worker or otherwise utilizing a SOHO router, you may be at risk of infection. Moreover, compromised home routers may allow attackers to circumvent some corporate security controls, potentially providing access to your business’s corporate network. Consider taking these steps to protect yourself:

  • Regularly reboot your router: ZuoRAT cannot persist through a reboot, so simply restarting your router will remove the malware. However, this simple step won’t remove other malware that may have already been installed on connected devices.
  • Apply patches and update firmware: Set up a periodic reminder to ensure that you fix known vulnerabilities in your router by installing the latest software and firmware.
  • Implement multi-factor authentication (MFA): Require MFA for all services open to the Internet. This defense-in-depth approach blocks attackers using compromised credentials.
  • Employ zero trust: Implement a zero trust architecture to protect your corporate network and assets from threats posed by remote access and home-based hardware.

MBL Technologies is dedicated to protecting you from the latest cyber threats. You can rely on our comprehensive cybersecurity services to identify vulnerabilities in your defense posture and devise sustainable, cost-effective solutions to keep you secure.

Learn more about our diverse set of technology services for the federal and commercial markets.