ZuoRAT Malware

ZuoRAT is a remote access trojan (RAT) that has been active since at least 2020 but was first detected in the wild in 2022. The malware primarily targets small office/home office (SOHO) routers sold to North American and European markets.

Request a Demo Learn more

How Does ZuoRAT Work?

ZuoRAT is a descendant of Mirai, one of the most famous Internet of Things (IoT) botnets in history. Mirai’s source code was leaked in 2016, enabling other malware to build on its existing codebase.

ZuoRAT took advantage of the boom in remote work inspired by the COVID-19 pandemic. Due to the pandemic, a greater volume of business traffic now passes through SOHO routers, which connect home offices or small businesses to the Internet. These routers are typically less monitored and secured than their larger counterparts, which is likely why the RAT managed to fly under the radar for over a year before being detected.

ZuoRAT gains access to SOHO routers by exploiting unpatched vulnerabilities. These vulnerabilities are publicly known; however, few individuals and small businesses apply the patches, leaving them vulnerable to exploitation. After gaining access to a router, the primary goal of ZuoRAT is the collection of sensitive data. It eavesdrops on communications passing through the router and performs man-in-the-middle (MitM) attacks on HTTP and DNS traffic.

As a RAT, the malware also provides the attacker with the ability to remotely control the infected devices. After collecting information about the infected devices and the networks that they are connected to, the malware operator can decide to run certain commands on the systems or download additional modules.

The ZuoRAT’s modularity provides it with a wide range of capabilities. An estimated 2,500 different modules have been identified for the malware, enabling attackers to launch highly customized attacks against infected systems and networks.

How ZuoRAT Malware Affects Network Systems

The ZuoRAT malware was designed to sneak under the radar on SOHO routers. In addition to taking advantage of the fact that these routers are typically unmanaged, the malware also used router-to-router communications and proxy servers for command and control (C2), making it even more difficult to detect the malware or trace it back to its source.

In addition to building a network of infected routers, ZuoRAT can have various impacts on an organization’s network systems. The malware can eavesdrop and intercept network traffic and, through its various modules, has the potential to perform other attacks, such as password spraying or code injection, using the malware’s resources and access to network traffic.

How to Protect Against ZuoRAT Malware

Some security best practices that can help to protect against these attacks include:

  • Device Inventory: ZuoRAT takes advantage of the fact that many SOHO router owners don’t know what devices they have, making them less likely to respond to reports of an actively exploited vulnerability. Maintaining a full inventory of IT devices helps to ensure that devices don’t slip through the cracks.
  • Patch Management: ZuoRAT exploits publicly-known vulnerabilities to gain access to vulnerable devices. Promptly installing patches and updates when they become available can close potential security gaps before they can be exploited by an attacker.
  • Network Security: ZuoRAT engages in various malicious actions, including MitM attacks and downloading malicious modules and other malware variants. Network monitoring and intrusion prevention systems (IPS) can help to detect and remediate these threats.
  • Web Security: ZuoRAT can be used for HTTP MitM attacks, which redirect users’ traffic to other websites. Web security solutions can help to identify malicious redirects and block malware from being delivered to users’ devices via phishing pages.
  • Access Management: This malware compromises routers, eavesdrops on traffic, and can be used in password spraying and similar attacks. All of these methods can be used to compromise user credentials, making strong access management — including least privilege access controls and multi-factor authentication — essential for protecting against account takeover (ATO) attacks.

ZuoRAT Malware Detection and Protection with Check Point

ZuoRAT is a versatile malware variant that took advantage of the surge in remote work by targeting under-protected small networks that were suddenly entrusted with sensitive business data. By accessing unpatched SOHO routers, it gains the perfect foothold to monitor network traffic and perform other attacks from these often unmanaged devices.

These sorts of techniques are still commonplace in 2023, demonstrating that cybercriminals have struck on a successful tactic. However, this is just one of many security threats that companies are grappling with. Learn more about the current cybersecurity threat landscape in Check Point’s 2024 Cyber Security Report.

Check Point’s Harmony Endpoint provides companies with the visibility and control required to identify and manage the threats posed by ZuoRAT and other malware variants. Find out more about Harmony Endpoint and its prevention-focused approach with a free demo.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK