Connect with us

Hi, what are you looking for?


Routers from brands like Asus, Netgear, and Cisco are being targeted by a sophisticated malware campaign

Why it matters: The shift to a hybrid work model with many employees working from home has opened up a new avenue for malicious actors. Security researchers warn that a sophisticated malware campaign has been targeting North American and European home and small office networks through router malware that has largely gone unnoticed until recently.

Last year, cyberattacks against corporate networks reached record-setting levels in terms of frequency and size, mostly because of the Log4J vulnerability that was left unpatched by many organizations for several months. Earlier this month, a new and hard-to-detect malware was discovered on Linux-based systems that had been stealing credentials and enabling remote access for malicious actors.

In a similar vein, a new stealthy remote access trojan dubbed ZuoRAT has been detected by security researchers at Lumen Black Lotus Labs. The team that discovered the new threat believes it has been infecting a wide range of home and small office (SOHO) routers across Europe and North America with malware that can take control of devices running Windows, Linux, or macOS.

This has been going on since at least December 2020, and ZuoRAT is believed to be part of a much broader malware campaign that took advantage of the sudden and massive shift to remote work and study. The malicious actors chose to attack consumer-grade routers with exploitable firmware that is rarely monitored and patched, if ever.

Black Lotus Labs researchers claim they’ve identified at least 80 targets so far, and found ZuoRAT to be surprisingly sophisticated for malware that’s intended to compromise SOHO routers sold by Asus, Netgear, DrayTek, and Cisco.

The malware campaign leverages no less than four different pieces of malicious code, and ZuoRAT is worryingly similar to other custom-built malware written for the MIPS architecture such as the one behind the infamous Mirai botnet of yesteryear.

Once ZuoRAT makes its way into a router, the malicious actors can use DNS and HTTP hijacking to install additional pieces of malware dubbed Beacon and GoBeacon, as well as the widely-used Cobalt Strike hacking tool.

Advertisement. Scroll to continue reading.

2022 06 29 image 16

Researchers explained the campaign is aimed at several US and Western European organizations and the attackers have gone to extreme lengths to hide their activity through obfuscated, multistage C2 infrastructure. And while it’s only a suspicion at this point, the analyzed data indicates the attackers may be operating in the Chinese province of Xiancheng using data center infrastructure from Tencent and Alibaba’s Yuque collaboration tool.

The good news is that router malware like ZuoRAT can be flushed out with a simple reboot of the infected device since that would wipe its files which reside in a temporary folder. A factory reset would be even better, but if the infected devices also contain the other pieces of malware they won’t be as easy to remove.

Security analysts and system administrators can find more details about the technical aspects of the ZuoRAT campaign, including indicators of compromise and possible prevention tools, by reading the full report and consulting the Black Lotus Labs GitHub,

Click to comment

Leave a Reply


Loan And Finance

From left, Firefighters Sergio Porras, Jerome Alton and Natasha Rodocker mop up hot spots while battling the Oak Fire in the Jerseydale community of Mariposa County,...

Social Media

Google’s looking to add more context to its Search results, in order to mitigate the spread of misinformation, by adding improved contextual data matching...

Top Stories

The chief of Australia’s financial services regulator Joe Longo has raised the alarm over the sheer amount of people that invested in “unregulated, volatile”...


On Wednesday, the commissioners court of Zavala County—the 11,000-person county immediately south of Uvalde—passed a resolution urging Republican Governor Greg Abbott to call a...


South Florida burger missionary Jeffrey Lemmerman, better known by his Instagram handle, Cheffrey Eats, claims not to know that this is National Sandwich Month:...


Former President Donald Trump called late Thursday for the “immediate” release of the federal warrant the FBI used to search his Florida estate, hours...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...