Malware, Breach

Hackers Use Remote Access Trojan to Target Home Office Routers

Cybercriminals have been using a previously unknown remote access trojan (RAT) to target small office/home office (SOHO) devices for nearly two years, according to Black Lotus Labs, the cybersecurity threat research division of Lumen Technologies.

The RAT, referred to as ZuoRAT, has the "markings" of a trojan from a nation-state threat actor, Black Lotus noted. Hackers began using ZuoRAT as part of a malware campaign in North America and Europe in October 2020. Since that time, they have used ZuoRAT to collect data in transit, hijack network connections and compromise devices.

What Happens During a ZuoRAT Attack?

ZuoRAT leverages known security vulnerabilities and allows a threat actor to access a SOHO network and remain undetected on devices connected to it, Black Lotus explains. It has a hijacking capability that enables an actor to pivot from a network router to workstations where it can deploy additional RATs. From here, the actor can upload and download network files and run commands.

In addition, ZuoRAT uses two sets of command-and-control (C2) infrastructure, says Black Lotus. One set was developed for a custom workstation RAT and leverages third-party services from Chinese companies. The other C2s were developed for routers.

Meanwhile, routers infected by ZuoRAT communicate with other compromised routers across a network, Black Lotus explains. This allows a threat actor to further disguise malicious activity.

Protecting Against ZuoRAT Attacks

Organizations can use secure access service edge (SASE) or similar solutions to bolster their security posture and detect and address network threats, Black Lotus says. They can encourage remote workers who use SOHO routers to regularly reboot their devices, install security updates and patches and set up and configure endpoint detection and response (EDR) solutions across their networks.

Black Lotus has added indicators of compromise (IoCs) from the ZuoRAT campaign to the Lumen Connected Security portfolio's threat intelligence feed. It also will continue to collaborate with the security research community and look for ways to help organizations protect against ZuoRAT and other threats.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.