A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks.

The malware grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years.

"Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network's perimeter," the company's threat intelligence team said.

Initial access to the routers is obtained by scanning for known unpatched flaws to load the remote access tool, using it gain access to the network and drop a next-stage shellcode loader that's used to deliver Cobalt Strike and custom backdoors such as CBeacon and GoBeacon that are capable of running arbitrary commands.

In addition to enabling in-depth reconnaissance of target networks, traffic collection, and network communication hijacking, the malware has been described as a heavily modified version of the Mirai botnet, whose source code leaked in October 2016.

ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

Also included is a function to harvest TCP connections over ports 21 and 8443, which are associated with FTP and web browsing, potentially enabling the adversary to keep tabs on the users' internet activity behind the compromised router.

Other capabilities of ZuoRAT allow the attackers to monitor DNS and HTTPS traffic with an aim to hijack the requests and redirect the victims to malicious domains using preset rules that are generated and stored in temporary directories in an attempt to resist forensic analysis.

The information contained in this website is for general information purposes only. The information is gathered from TheHackerNews, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.