Attackers are infiltrating routers to take control of connected devices

By Scott Marlette Last updated Jun 30, 2022

An unknown threat actor is targeting routers (opens in new tab) with remote access trojans (RATs), in a bid to hijack traffic, collect sensitive data and compromise connected devices.

This is according to Black Lotus Lab, the threat intelligence division of Lumen Technologies, which recently observed real-world attacks leveraging a novel malware strain, called ZuoRAT.

ZuoRAT is a multi-stage remote access trojan, developed exclusively for SOHO (small office/home office) routers. It’s been in use for some two years now, the researchers say, targeting businesses in North America and Europe.

The malware leverages known vulnerabilities to provide the attackers with access to the routers. Once in, they’re able to deploy two additional, custom-built RATs on the target devices.

The additional RATs allow threat actors to upload and download files, run commands and persist on the workstation. One of them has cross-platform functionality, it was added.

Black Lotus Labs also found two separate command & control (C2) servers. One is designed for the custom workstation RAT, and leverages Chinese third-party services. The second one was designed for the routers.

This malicious campaign started approximately at the same time as the pandemic, and the researchers believe the two are connected. When businesses shifted to remote working, employees began accessing corporate networks from home, increasing the risk factor.

Attackers saw this as an opportunity, trying to leverage home-based devices, such as routers, for their nefarious purposes.

“Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve,” said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

“In this campaign, we have observed a threat actor’s capability to exploit SOHO routers, covertly access and modify internet traffic in ways difficult to detect and gain additional footholds in the compromised network.”

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.