A new multistage remote access trojan ZuoRAT has been targeting SOHO routers in North America and Europe

A multistage remote access trojan (RAT) named ZuoRAT has been targeting remote workers with the help of small office/ home office (SOHO) routers across North America and Europe since 2020.

According to a report by security researchers of Lumen’s Black Lotus Labs said the malware’s targeted campaign complexity, attacking tactics, techniques, and procedures (TTPs) only denotes that the malware is being controlled by a state-sponsored threat actor.

The malware started its attacks during the COVID-19 pandemic when employees started working from home using home routers. The routers that were accessed mostly include ASUS, Cisco, DrayTek, and NETGEAR.

Lumen told in a statement, “This gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers-which are widely used but rarely monitored or patched-to collect data in transit, hijack connections, and compromise devices in adjacent networks.”

The security researchers further said, “The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations.”

Sources claimed that the multi-stage ZuoRat malware exploits the router’s security flaws to create a surveillance pathway for the threat actor to observe network traffic via passive network sniffing. The ZuoRAT is observed to compromise several devices connecting to a single compromised router by deploying additional payloads via DNS and HTTP hijacking.