ZuoRAT Malware Targets SOHO Routers
A remote access trojan (RAT) known as ZuoRAT has been detected attacking small office/home office (SOHO) routers. Black Lotus Labs have been tracking the campaign, which has been active since 2020. ZuoRAT takes complete control of SOHO routers in North America and Europe.
Usually as we talk about attacks against home routers and similar "IoT" devices, we talk about nuisance malware like Mirai. But among the background noise are some more sophisticated attacks using the same simple exploits to turn these devices into a powerful distributed attack platform. This has been done in the past with MikroTik routers and others as well.
This malware is operating under the pretext that SOHO routers are not maintained or secured. Make sure that your routers are configured for automatic firmware updates, that remote management is either disabled or restricted to very specific authorized devices, and pay attention to any vendor provided security posture check. Lastly, make sure the device is still supported and replace it if not. This RAT cannot survive reboots, so if you're thinking your infected, reboot your router; then you need to perform a factory reset to make sure only the settings you intend are in effect.
These routers are the first line of defense line of defense in "work from home" applications. Yet, as with many smart appliances ("things"), keeping them current is costly and rarely routine.