New ZuoRAT Malware Attacks Routers and Hijacks Connected Devices

A Wi-Fi router in the dark.
KsanderDN/Shutterstock

Our transition to remote work has some odd implications for security. While an office’s IT team may monitor a router’s activity and patch vulnerabilities, teleworkers rarely do the same for their home office routers. And that’s opened the door to new malware, such as ZuoRAT.

Identified and described by Black Lotus Labs, the ZuoRAT malware is a remote access trojan (or RAT). It collects and sends a victim’s private data to an outside threat actor, usually a hacker or group of hackers. But ZuoRAT is especially sophisticated and damaging, for several reasons.

First, ZuoRAT targets SOHO (small business/home office) routers. It collects DNS lookups and network traffic from its victims—that’s some incredibly sensitive data, especially if you’re a teleworker or small business. It doesn’t help that this malware is two years old. It’s slowly infected routers since 2020.

Stealing network traffic is one thing, but ZuoRAT isn’t just some passive malware. It deploys two additional RATs to network-connected devices once it infects a router. And once that’s done, ZuoRAT can install even more malware to devices on a local network. This attack could allow hackers to hijack an entire network of PCs, bring down a small business with ransomware, or turn a local network into a botnet.

ZuoRAT is custom-built on the MIPS architecture, and it’s basically undetectable with current security software. Also, it takes advantage of unpatched vulnerabilities in SOHO routers. Given the details, ZuoRAT may be the tool of a powerful hacking group or aggressive nation-state. (The last major SOHO router malware, called VPNFilter, was developed and deployed by the Russian government.)

The ZouRAT malware appears to infect SOHO routers from Cisco, Netgear, Asus, and DrayTek. Like most router malware, ZouRAT will die if you restart your router—removing the malware from other devices on your network may be a bit tricky, though.

If you own a SOHO router, I suggest restarting it and running an update for the latest firmware. But if this malware affects devices on your network, such as your PC, you may need to perform a factory reset.

Source: Black Lotus Labs