Researchers have identified the growth of a strain of malware called ZuoRAT that has been infecting SOHO routers across Europe and North America.
The malware is very sophisticated and has been targeting Small Office Home Office (SOHO) routers from some of the biggest names. Routers from ASUS, Cisco, DrayTek, and Netgear have been targeted, with others likely to have also been compromised. The malware was discovered by researchers from Lumen Technologies’ Black Lotus Labs and has apparently been in circulation since 2020. Quite why they waited this long to tell us isn’t clear.
“Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network’s perimeter,” the company’s threat intelligence team said.
The risk
ZuoRAT malware infects known vulnerabilities common in SOHO routers. It can then load an HTTP and DNS hijacker script to monitor and redirect internet traffic and up to three trojans, Cobalt Strike, CBeacon and GoBeacon.
“ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules),” the researchers said.
These trojans can harvest data and monitor everything that happens on connected devices. One trojan was written to target Windows devices, while another uses Go to targets MacOS.
According to Lumen Technologies, this threat is so sophisticated, they place the source as a nation state rather than hacking group.
“The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor,” the researchers concluded.
Not only is ZuroRAT very clever and well coded, the infrastructure supporting it is also complex.
It uses multiple stages, the initial stages using standard content and redirects to obfuscate what’s happening. Each stage uses a virtual private server that hands traffic off
to another server through ‘safe’ routers before mixing up the content and sending visitors to the targeted destinations.
The end result is a network that’s completely compromised.
Internet traffic that can be completely monitored and redirected and the ability to the bad actor to view, copy, upload or download files to any device within that network.
“Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it,” said Dahvid Schloss, offensive security team lead at Echelon. “From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network.”
Mitigating against ZuroRAT
There are a few things you can do to protect yourself against ZuroRAT. Fortunately, most of them are simple enough for anyone to do.
The first is to reboot your router regularly. ZuroRAT cannot survive a reboot so setting a reboot schedule for remote workers or remote networks is a simple, easy fix.
Second, update all router firmware to the latest version in case the manufacturer has released a fix.
Third, if you’re a company with home or remote workers, use Indicators of Compromise or Secure Access Service Edge (SASE) systems as part of your network security infrastructure to provide an extra layer of protection.
SASE and IoC solutions are out of reach of smaller business, freelancers and homeworkers but should be accessible to larger business or enterprise.
If you work from home and don’t have these protections, schedule a router reboot regularly to help protect yourself from ZuroRAT.