"Researchers Uncover ZuoRAT Malware Targeting Home-Office Routers"

Security Researchers at Black Lotus Labs discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices, including models from ASUS, Cisco, DrayTek, and NETGEAR.  The researchers noted that ZuoRAT is part of a complex campaign that went undetected for nearly two years.  The tactics, techniques, and procedures (TTPs) that analysts observed bear the markings of what is likely a nation-state threat actor.   ZuoRAT is a multi-stage RAT developed for SOHO routers leveraging know vulnerabilities.  In a recent campaign, ZuoRAT was used to enumerate the adjacent home network, collect data in transit, and hijack home users’ DNS/HTTP internet traffic.  The actor was also able to remain undetected by living on devices rarely monitored and by hijacking DNS and HTTP traffic.  Director of threat intelligence for Black Lotus Labs, Mark Dehus, stated that router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve.  The researchers noted that organizations should keep a close watch on SOHO devices.  To help mitigate the threat, organizations should ensure patch planning includes routers and confirm these devices are running the latest software available.

Help Net Security reports: "Researchers Uncover ZuoRAT Malware Targeting Home-Office Routers"