Blog

Only a tiny number of router-based malware programs have been successful in stealthily targeting sensitive networks. One such malware named ZuoRAT emerged during the Covid-19 pandemic. Threat actors took advantage of the abrupt shift to remote work caused by the pandemic to undermine many well-established organisations’ typical defence strategies. ZuoRAT malware has demonstrated dangerous capabilities, including accessing a variety of SOHO devices, gathering host and LAN data for targeting purposes, hijacking network communications to obtain potentially permanent access to in-house devices, etc. This blog will shine a light on the origin of the ZuoRAT malware, how it operates and how to defend against it.

What Is ZuoRAT Malware?

ZuoRAT is deemed by many as the descendant of the Mirai botnet. The multi-staged malware first started its vicious cycle of attacks in early 2020 when the first wave of COVID-related restrictions was imposed. The malware invaded networks by accessing their local area network and intercepting packets that were being transmitted between devices. It goes to higher levels of infiltration by purposefully using siloed router-to-router communications to create a stealthy C2(Command and Control) infrastructure. This presented a prime chance for a man-in-the-middle attack via DNS and HTTPS hijacking. Given the invisibility cloak-like mechanisms of ZuoRAT, we have strong reason to suspect that the threat actors carrying out the attack are employing professional-grade evasion tactics. Many conspiracy theories are attached to this dangerous malware; some researchers believe that some state-sponsored threat actors have been hiding behind this cyber chaos. However, there is no proof backing this theory.

Another such claim is that ZuoRAT primarily targets SOHO routers, this claim has serious backing. But first, what are SOHO routers? They are networking devices created for small businesses or houses to help them connect with the Internet. These routers enable multiple devices to connect at once. Cyber researchers have examined an operation that used compromised SOHO routers to primarily target relevant networks in North America and Europe. CISCO Systems, Netgear, ASUS, and other SOHO router manufacturers were the targets of this multi-stage remote access cyber attack that has been active since April. As for the latest updates on the ZuoRAT, the next section of the blog deals with its relevance in 2024.

Attack Phases of ZuoRAT: How the Malware Wreaks Havoc

1. Initial Access: Gaining entry through router vulnerabilities or weak credentials.

2. Router Compromise and Installation: Installing malware on the router, and performing man-in-the-middle attacks.

3. Lateral Movement: Scanning for vulnerable devices and deploying additional malware.

4. Command and Control (C2) Communication: Communicating with C2 servers to remotely control the infected devices.

5. Data Exfiltration: Collecting and sending sensitive data to C2 servers.

6. Persistence: Modifying configurations to ensure long-term presence and evade detection.

What Is It Capable Of Doing In 2024?

As we are aware, malicious threat actors have used ZuoRAT malware to take advantage of unpatched vulnerabilities and steal confidential data from compromised routers’ data packets. Despite the fact that there are fixes for these risks and vulnerabilities, only a handful of SOHO entities have deployed them. This creates a potent picture for the ZuoRAT to target its victims. Today, via SOHO routers, ZuoRAT can not only gain unauthorised access to the local area network and intercept data packets being transferred. It can use DNS and HTTPS to launch man-in-the-middle attacks. According to some researchers, these RATs are no longer limited to hopping SOHO devices. These multi-stage malware have grown even more dangerous. They use the initial level of exploitation to gather details about the targeted device and the associated LAN. After that, they can use the said information to launch a vast range of attacks, including password spraying, code injections, etc. The fact that, to date, we are in the dark about the most basic of details about ZuoRAT speaks volumes about its relevance. ZuoRAT is like a rat hiding in the dark tunnels, waiting for you to take a step and get bitten. Make no mistake, it is a powerful cyber ailment that can be contracted by any organisation. What can you do to be safe? Well, detection is key, and prevention is the best remedy. The following two sections of this blog will assist you with just that.

How to Detect ZuoRAT Malware?

ZuoRAT capitalises on the surge in remote work. Owing to the hybrid work culture, more business traffic is being routed over SOHO routers, which link small enterprises or home offices to the Internet. Because these routers are usually less secure and monitored than their larger counterparts, it is possible that the RAT quickly escapes detection for a longer stretch of time before being discovered. The goal of the ZuoRAT malware is to operate on SOHO routers covertly, which makes it difficult to detect. Nevertheless, there are some indicators and methods to spot its presence.

1. Monitor Your Router Traffic

Carefully look through your router logs for any unusual traffic patterns or outbound connections to unknown IP addresses. You should also be weary of any DNS requests that are rerouted or DNS cache poisoning attempts.

2. Scan for Unauthorised Access

Check for any unauthorised remote access or login attempts on your router. See if any remote management features are turned on without your knowledge or pproval.

3. Routinely Assess Router Firmware

Check if your router’s firmware is updated or not as ZuoRAT is known to exploit outadted routers. Always probe the firmware and configuration settings for any signs of unauthorised changes.

4. Closely Examine Network Behaviour

Scan for any anomalies in the network by monitoring connected devices. You are on the lookout for any unusual increase in traffic or suspicious communications. Using endpoint security solutions can help identify dangerous lateral movement of malware across your devices.

5. Regular Inspection of DNS Settings

Make a habit of regularly checking inspecting your router’s DNS settings. This ensure that no permissions are granted without your knowledge by the malware.

Apart from that you can also put in place security tools that help you in early and easy detection. You can use anti-malware tools that scan routers for any suspicious interactions.

Deploying an advanced intrusion detection and prevention system (IDPS) assist in monitoring network traffic for any sign of ZuoRAT activities. These tools are created to scan router specific threats and will work well to detect ZuoRAT malware.

Latest Prevention Tips Against the ZuoRAT Malware

Learning about ZuoRAT might make it feel like the malware is a labyrinth that is impossible to break. To some extent, you are correct. There might be no breaking the maze once you are in it, but there sure are ways to stay out of it and safe. Believe us when we say that traditional tactics are an excellent defence for SOHO devices; routine patching and rebooting ought to be a standard procedure. Don’t allow a lack of self-control to provide an easier way for attackers to get you. If you own SOHO routers, you should apply security updates and patches on a regular basis and reset them in accordance with recommended standards. When it comes to EDR solutions, you should make use of appropriately configured and updated hosts and update software on a regular basis in accordance with vendor updates. Ensure you are using the latest versions of everything. If not, download the latest firmware and install it to ensure you have access to the most recent patches and prevent your network from becoming compromised.

If you detect the presence of ZuoRAT in your system, you might still have time to protect yourself. To eliminate the threat on an infected device, you can simply restart it if you are concerned that your network has been infiltrated. However, a factory reset of the contaminated devices will be required as it removes malware and gives them a chance to fully recover. In its true sense, the most significant solution to the ZuoRAT malware problem would be better built-in defence mechanisms for routers and IoT devices. The only way to make it happen is for makers of routers and other Internet of Things devices to incorporate dynamic defences that can quickly and effectively handle the constantly shifting threat landscape. Because runtime exploits prevention deterministically detects and stops common exploitation patterns, including memory overflow, command injection, and abnormalities in the execution flow, it offers an additional layer of defence against 0-day and 1-day vulnerabilities. Until that happens, to enjoy a continued layer of protection, take advantage of the above-mentioned tips and be careful! For more information on how to defend against ZuoRAT malware, you can reach out to GoAllSecure at +91 85 2723 7851 or +44 20 3287 4253.