ZuoRAT Capable of Overtaking SOHO Routers
Table of Contents
- By Patrick Ryan
- Jul 06, 2022
If you own a SOHO router, you should be aware that ZuoRAT has the potential to take it over. SOHO routers transmit wireless and wired broadband routing across networks. The difference between regular routers and SOHO routers is the structure. SOHO routers work for both home office networks and small offices. Therefore, router devices provided by the likes of Netgear, Asus, and Cisco are susceptible to multistage malware that has been a known threat since the spring of 2020. Clearly, an advanced hacker is responsible for this digital attack.
How Does the Malware Work?
Zuo malware is a multistage remote access virus. The threat takes advantage of existing susceptibilities to zero in on some of the industry's top routers. The malware accesses the local LAN and obtains packets sent using the device. Then, it conducts man-in-the-middle attacks by way of overtaking HTTPS and DNS. The hackers pounced on the opportunity to manipulate unpatched routers after the pandemic started and employees were required to work from home.
Who is Behind the Attack?
The ZuoRAT might result from a nation-state's hostility toward specific targets. As noted by Black Lotus Labs, the malware's movement to a LAN by way of a SOHO device and ability to perform additional attacks makes it much more likely that a government is responsible for the attack. Using such methods harmoniously makes it clear that the attacker responsible for the hack is reasonably sophisticated.
It is also interesting to note that the threat actors went to great lengths to conceal communication with their central command headquarters during the attack. As a result, digital forensics investigators insist a professional designed the attack.
The hackers shifted the starting exploit from dedicated virtual private servers to avoid detection. Hackers leveraged routers as proxy C2s concealed within plain sight through communication to and from routers to bypass detection. The final component of the digital attack was rotating the proxy routers for added covertness.
Why is the Virus Named ZuoRAT?
The virus is referred to as “ZuoRAT” as it is a reference to the Chinese word used to refer to the “left” direction. The hackers use the Chinese word, so it only makes sense that their selected term becomes part of the threat's moniker.
What Should Corporations and Other Organizations do to Defend the Threat?
The ZuoRAT hacker is a high-level digital miscreant with advanced capabilities. Therefore, digital security specialists insist ZuoRAT is still zeroing in on target devices. The hackers have likely been thriving on the perimeter of networks for a lengthy period of time. As a result, corporations and other organizations are in danger.
Business owners and managers, along with IT and tech personnel, should be aware that once a device is compromised, the hackers will have the liberty to access and manipulate connected devices. At this point, proxy chains can transmit exploits into the network or watch traffic moving into, out of, and around the network. Implement the necessary digital protections, make your team aware of the threat, and you’ll rest easy knowing you did your part to prevent a potentially crippling digital attack.