ZuoRAT Malware

How Does ZuoRAT Work?

ZuoRAT is a descendant of Mirai, one of the most famous Internet of Things (IoT) botnets in history. Mirai’s source code was leaked in 2016, enabling other malware to build on its existing codebase.

ZuoRAT took advantage of the boom in remote work inspired by the COVID-19 pandemic. Due to the pandemic, a greater volume of business traffic now passes through SOHO routers, which connect home offices or small businesses to the Internet. These routers are typically less monitored and secured than their larger counterparts, which is likely why the RAT managed to fly under the radar for over a year before being detected.

ZuoRAT gains access to SOHO routers by exploiting unpatched vulnerabilities. These vulnerabilities are publicly known; however, few individuals and small businesses apply the patches, leaving them vulnerable to exploitation. After gaining access to a router, the primary goal of ZuoRAT is the collection of sensitive data. It eavesdrops on communications passing through the router and performs man-in-the-middle (MitM) attacks on HTTP and DNS traffic.

As a RAT, the malware also provides the attacker with the ability to remotely control the infected devices. After collecting information about the infected devices and the networks that they are connected to, the malware operator can decide to run certain commands on the systems or download additional modules.

The ZuoRAT’s modularity provides it with a wide range of capabilities. An estimated 2,500 different modules have been identified for the malware, enabling attackers to launch highly customized attacks against infected systems and networks.

How to Protect Against ZuoRAT Malware

Some security best practices that can help to protect against these attacks include:

• Device Inventory: ZuoRAT takes advantage of the fact that many SOHO router owners don’t know what devices they have, making them less likely to respond to reports of an actively exploited vulnerability. Maintaining a full inventory of IT devices helps to ensure that devices don’t slip through the cracks.
• Patch Management: ZuoRAT exploits publicly-known vulnerabilities to gain access to vulnerable devices. Promptly installing patches and updates when they become available can close potential security gaps before they can be exploited by an attacker.
• Network Security: ZuoRAT engages in various malicious actions, including MitM attacks and downloading malicious modules and other malware variants. Network monitoring and intrusion prevention systems (IPS) can help to detect and remediate these threats.
• Web Security: ZuoRAT can be used for HTTP MitM attacks, which redirect users’ traffic to other websites. Web security solutions can help to identify malicious redirects and block malware from being delivered to users’ devices via phishing pages.
• Access Management: This malware compromises routers, eavesdrops on traffic, and can be used in password spraying and similar attacks. All of these methods can be used to compromise user credentials, making strong access management — including least privilege access controls and multi-factor authentication — essential for protecting against account takeover (ATO) attacks.