Attackers are infiltrating routers to take control of connected devices

Home office and small business routers are under attack

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An unknown threat actor is targetingrouterswith remote access trojans (RATs), in a bid to hijack traffic, collect sensitive data and compromise connected devices.

This is according to Black Lotus Lab, the threat intelligence division of Lumen Technologies, which recently observed real-world attacks leveraging a novel malware strain, called ZuoRAT.

ZuoRAT is a multi-stage remote access trojan, developed exclusively for SOHO (small office/home office) routers. It’s been in use for some two years now, the researchers say, targeting businesses in North America and Europe.

Themalwareleverages known vulnerabilities to provide the attackers with access to the routers. Once in, they’re able to deploy two additional, custom-built RATs on the target devices.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Extracting data from home workers

The additional RATs allow threat actors to upload and download files, run commands and persist on the workstation. One of them has cross-platform functionality, it was added.

Black Lotus Labs also found two separate command & control (C2) servers. One is designed for the custom workstation RAT, and leverages Chinese third-party services. The second one was designed for the routers.

This malicious campaign started approximately at the same time as the pandemic, and the researchers believe the two are connected. When businesses shifted toremote working, employees began accessing corporate networks from home, increasing the risk factor.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Novel cyberthreats: how to stay safe when working from home>These are the best secure routers around right now>Is ‘perma-home working’ a fad or here to stay?

Attackers saw this as an opportunity, trying to leverage home-based devices, such as routers, for their nefarious purposes.

“Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve,” said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

“In this campaign, we have observed a threat actor’s capability to exploit SOHO routers, covertly access and modify internet traffic in ways difficult to detect and gain additional footholds in the compromised network.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Best CDN provider of 2024

Google’s new AI video maker for businesses is now available on Workspace

Warhammer 40,000: Darktide is coming to PS5 with PS5 Pro support at launch