Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



SOHO Routers in North America and Europe Targeted With ‘ZuoRAT’ Malware

A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

Dubbed ZouRAT, the malware has been deployed on devices in North America and Europe, as part of a sophisticated campaign targeting remote workers, which might have been conducted by a state-sponsored threat actor. At least 80 entities might have been impacted, the researchers estimate.

The attacks, which started in October 2020, targeted known vulnerabilities in SOHO routers from ASUS, Cisco, DrayTek, and NETGEAR for initial access, which then allowed the attackers to enumerate additional devices on the network and move laterally to more systems.

The Black Lotus Labs researchers also discovered evidence that workstations on the compromised network were likely infected with one of two custom RATs that enabled the attackers to download and upload files, to run commands, and achieve persistence.

ZuoRAT is a multi-stage RAT specifically targeting SOHO routers, and which is capable of enumerating the internal LAN, collecting data transmitted over the infected device, and performing man-in-the-middle attacks such as DNS and HTTP hijacking.

According to Black Lotus Labs, the use of SOHO routers for network enumeration and traffic hijacking implies a high level of sophistication by the threat actor behind the campaign, potentially hinting at a state-sponsored group.

A Windows loader used in the attacks was observed fetching a remote resource, likely to load a fully functional second-stage agent. Depending on the environment, the agent might have been a custom RAT (CBeacon – written in C++, or GoBeacon – written in Go, with cross-platform capabilities), or Cobalt Strike Beacon (used in lieu of either CBeacon or GoBeacon).

The ZuoRAT agent framework, the researchers say, can be divided into two components, one containing functions that would auto-run, and another comprised of functions that were likely meant to be called by additional commands.

The first component was meant to perform in-depth reconnaissance of the network, while the second component contained additional commands that would likely be run by modules downloaded based on the information gathered by the first component.

“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection. We focused on the LAN enumeration capability, which provided the actor additional targeting information for the LAN environment, and subsequent DNS and HTTP hijacking capabilities, attack styles that are traditionally difficult for defenders to detect,” Black Lotus Labs notes.

The researchers also identified obfuscated, multistage command and control (C&C) infrastructure, likely meant to serve the various phases of the malware infection. Furthermore, China-based third-party infrastructure, such as Yuque and Tencent, was used for C&C.

The attackers used a dedicated virtual private server (VPS) to deliver the initial exploit, then abused routers as proxies to hide C&C communication, and avoided detection by periodically rotating proxy routers.

Related: Stealthy ‘SockDetour’ Backdoor Used in Attacks on U.S. Defense Contractors

Related: US Details Chinese Attacks Against Telecoms Providers

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.