Lumen Technologies’ Black Lotus Labs warned a newly discovered kind of malware has been targeting small business and home office routers since October 2020. Mark Dehus, director of threat intelligence for Black Lotus, told Fierce the so-called ZuoRAT threat remains active today.
According to Dehus, ZuoRAT is distinct from a recent telecom threat flagged by U.S. government officials, though it uses the same approach of exploiting known vulnerabilities in router software in order to gain access to a network. Once inside, the ZuoRAT can be used to conduct a variety of attacks, including spying on network traffic or redirecting it to a malicious website that impersonates a real login portal in order to trick users into giving away their credentials.
“The mechanism that they’re using to gain access isn’t something earthshattering,” Dehus explained, noting routers in small and medium business and residential environments don’t often get updated and can remain exposed even if patches are available for known bugs. “The way they got in was not what was sophisticated. All the additional stuff they built on top of it was very sophisticated.”
Black Lotus’ research indicates ZuoRAT attacks have been targeted. Thus far, it has identified at least 80 impacted entities, though Dehus said that figure could be scratching the surface of a much larger campaign. He added activity appeared to focus on the U.S. and western Europe as well as Hong Kong, though didn’t seem to focus on a specific industry vertical.
While Black Lotus has only been able to uncover the exploit script for JCG routers, Dehus said known vulnerabilities in Cisco, DrayTek and Netgear equipment make them likely targets as well. Certain end-user equipment, such as out of date Windows machines, could also be at risk.
Asked whether the threat remains active, Dehus said “We don’t see any indications that it stopped.”
“An actor that goes through this much trouble to develop something like this, they’re not just going to put this on a shelf,” he continued. “Reporting about it might cause them to change their tactics, techniques and procedures…but it’s an active campaign still.”
To protect against ZuoRAT, Dehus said the first line of defense for organizations should be to develop a good understanding of all the devices running on the network and keep them up to date. Deploying secure access service edge (SASE) solution is another option. Finally, Dehus said the ZuoRAT malware appears designed to disappear when machines are rebooted, so that offers a third option for protection.
Full details about the ZuoRAT malware can be found here.