+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

ZuoRAT Malware Targets Home-Office Routers

A multistage remote access trojan (RAT), known as ZuoRAT,  has been specifically developed to attack small office/home office (SOHO) routers. These devices have been more frequently used for work since the increase in home-working in 2020 due to the Covid-19 global pandemic. It is suspected that this attack has been going undetected for the past two years, and has primarily targeted SOHOs in North America and Western Europe. Lumen’s Black Lotus Labs have released a report this week explaining how this ZuoRAT malware works. 

SOHO routers are connected to the home office LAN as well as used to communicate with important work file locations over the web, however they are rarely monitored or patched. An increase in home working provided attackers with the opportunity to attack these vulnerable routers with little chance of detection. It is suspected that this campaign began in October 2020, and at least 80 targets have suffered this attack so far. 

The ZuoRAT attack begins by exploiting known vulnerabilities CVE-2020-26878 and CVE-2020-26879 using a Python-compiled Windows Potable Executable file to target SOHO routers such as ASUS, Cisco, DrayTek and NETGEAR, among others. This allowed the malware to obtain credentials, and manipulate the telnet command, using these to trigger the download of the ZuoRAT agent. In Lumen’s research, they noticed that ZuoRAT performs an IP query on the router to determine its public IP address, presumably to identify if it is running in a sandbox environment, and if an IP cannot be identified, then ZuoRAT deletes itself from the system. 

ZuoRAT is a MIPS file which can capture packets through a man-in-the-middle attack on the infected device. A pre-defined HTTPS/DNS hijacking ruleset is contained in this malware, which enables a Windows loader file to be deployed. This in turn deploys one of three crafted trojans: CBeacon, written in C++; GoBeacon, assumed to be able to target Windows, Linux and Mac OS as it is written in Go; and Cobalt Strike, the often-abused red team tool that is frequently used in attacks. The loaded trojan is then able to upload and download files, collect host and LAN information, and uses proxy C2 nodes to facilitate this.  

As many different SOHO makes and models appear to be vulnerable to this attack, it is hard to quantify just how widespread the risk is. All SOHO users should regularly reboot their routers, and Security Managers should develop a process to ensure the installation of security updates and patches in a timely manner for these devices which are located off the main corporate network. Businesses can monitor home workers to ensure these updates are being applied correctly, and can additionally consider other solutions such as Secure Access Service Edge (SASE) architecture to increase network security. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top