Numerous small office and home office routers
across North America and Europe including those manufactured by Cisco, Asus, Netgear, and DayTek have been targeted by the new ZuoRAT trojan, which has successfully attacked at least 80 targets since its emergence during the last quarter of 2020, Ars Technica
Black Lotus Labs researchers noted that attackers behind the campaign are highly sophisticated owing to their utilization of both SOHO router compromise to obtain adjacent LAN access, as well as person-in-the-middle attacks. Four malware strains were identified in the campaign, with the MIPS architecture-based ZuoRAT trojan identifying router-connected devices prior to the deployment of the CBeacon, GoBeacon, and Cobalt Strike trojans, according to the report.
"ZuoRAT and the correlated activity represent a highly targeted campaign against U.S. and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection," said researchers.