SOHO routers used by remote employees get targeted in a new campaign

June 30, 2022
SOHO Routers Remote Employees Cyberattack Campaign ZuoRAT North America Europe Network Sniffing

Researchers recently spotted a new remote access trojan (RAT) dubbed ZuoRAT that has targeted remote employees through their SOHO (small office/home office) routers within North America and Europe. According to the findings, the threat operators showed attack tactics highly associated with state-backed groups.

Since the pandemic began and most employees have worked from home, the release of SOHO routers from several vendors had drastically risen, which threat groups also leveraged to begin their attack campaign.

 

Hacking on the SOHO routers allowed threat actors to collect data, hack online connections, and compromise devices across the same networks.

 

Through unpatched vulnerabilities inside a SOHO router, the hackers could begin deploying the multistage ZuoRAT malware that would allow them to attain in-depth network reconnaissance features and collect traffic data through network sniffing.

The ZuoRAT malware can also aid the threat actors to move laterally inside a network to compromise different devices and launch additional payloads. During the attacks, two more custom RATs were injected into the victims’ devices, including CBeacon, a C++-based malware, and GoBeacon, a Go-based one. These two RAT variants are believed to be capable of infecting Linux, Mac, and Windows operating systems.

The researchers who spotted the new campaign stated that all the capabilities demonstrated by the threat actors have pointed to highly sophisticated malicious groups that carried out their operations without being detected for years.

Furthermore, deploying the mentioned malicious payloads on the victims’ networks allowed the hackers to upload and download files, run arbitrary commands, gain persistence, hack network traffic, and implement new processes.

The threat actors added the compromised SOHO routers to a botnet to remain undetected and used a substitute C2 traffic.

Due to these findings, experts said organisations utilising SOHO routers in their everyday operations must monitor the tools more closely since threat groups have found their way to abuse them. Applying the latest patches and software updates is also recommended among routers to ensure added security.

About the author