New Malware Hijacks SOHO Routers on the Target to Steal Sensitive Information

It has been identified recently that a RAT known as ZuoRAT is hijacking SOHO routers to target remote workers. As of 2020, the RAT has been undetected by security experts and has been targeting users in North America and Europe.

They claim that the complexity and TTPs used by the threat actors in this sophisticated campaign clearly depict that there are state-sponsored threat actors operating this malicious campaign.

As a result of the COVID-19 pandemic, this campaign appears to start right around the time that a quick transition to remote work is made. 

In short, the number of employees who used SOHO routers to connect to the corporate network and assets remotely at home dramatically increased because of this pandemic.

In addition to providing the attackers with deep network reconnaissance capabilities, passive network sniffing provided the attackers with traffic collection capabilities, and then with the help of an authentication bypass exploit script the multi-stage ZuoRAT was deployed on a router.

The ZuoRAT allows lateral movement to compromise devices or networks other than the one currently compromised. In addition to this, using DNS and HTTP hijacking it is also possible to deploy further malicious payloads like:-

  • Cobalt Strike
  • GoBeacon
  • CBeacon

Router Component

There are total two router components and here we have mentioned them below:-

  • Core Functionality
  • Embedded Exportable Functions

Technical Analysis

As a result of these additional malware deployments onto victims’ systems, threat actors gained access to the following capabilities:-

  • Gain persistence on compromised devices
  • Download files
  • Upload files
  • Hijack network traffic
  • Inject new processes
  • Run arbitrary commands

Along with monitoring DNS traffic and HTTPS traffic, ZuoRAT also allows the attackers to generate rules that are created and reserved in temporary directories. 

Through the use of these rules, the attackers are able to conceal their identities. The resulting rules can then be used to deceive the victims into visiting malicious sites using preset rules.

It was also found that some compromise routers were part of a botnet. These routers were used to reduce the detection efforts of the defenders by proxying the command and control traffic.


Here below we have mentioned all the recommendations:-

  • Monitor any suspicious infrastructure, as well as loaders and modules from Windows, by using the IoCs.
  • The best practice for users would be to reboot their routers on a regular basis as well as to install the latest security patches and updates.
  • In order to use the most effective EDR solutions on hosts, users should be sure that EDR solutions are correctly configured and updated on a regular basis.
  • To bolster their security posture and implement robust detection capabilities, companies should consider implementing a comprehensive Secure Access Service Edge (SASE).

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.