This New Malware is Attacking SOHO Routers Across the World

Researchers at Lumen Technologies have identified exponential growth in malware that has been targeted Small Office Home Office (SOHO) routers.

The malware has been attacking some of the biggest names including routers from ASUS, Cisco, DrayTek, and Netgear. These manufacturers provide home, small business and large enterprise routers, so the attack vector is very wide.

The growth of the ZuoRAT malware was identified by researchers from Lumen Technologies' Black Lotus Labs. It has apparently been in circulation since 2020 but has seen a marked growth in size and scale over the past couple months.

The company's threat intelligence team is quoted as saying:

"Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network's perimeter,"

ZuoRAT malware

The ZuoRAT malware is potent and could potentially redirect network traffic and scan all connected devices within a network.

First it uses HTTP and DNS hijacker scripts to redirect web traffic to ad servers. It can then deliver up to three trojans, Cobalt Strike, CBeacon and GoBeacon to connected devices. These trojans can harvest data and monitor everything that’s going on within the network and report back.

CBeacon is written in C, so can target Windows devices. GoBeacon is written in Go, so can target macOS.

According to the researchers:

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)."

State sponsored

ZuoRAT is being attributed to a specific nation according to Lumen Labs. They say it’s so sophisticated and uses such an intricate infrastructure that few organizations could pull it off.

The researchers concluded:

"The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor."

Tackling ZuroRAT

Fortunately, the nature of ZuroRAT means mitigating against it is relatively simple.

As it lives in memory, a simple reboot of your router should flush it out. Building in regular reboots of your SOHO router should help protect networks against ZuroRAT, for a while at least.

Also check regularly for firmware updates for your router. The vulnerability it uses to take hold may be patched out by manufacturers in the coming months.

Larger organizations need to look into use Indicators of Compromise or Secure Access Service Edge (SASE) systems to protect networks and remote staff.