As if you didn’t already have enough to worry about, a new report finds that hackers are targeting home Wifi routers to gain access to all of your connected devices.
The report comes from Black Lotus Lab, a security division of Lumen Technologies. The report details several observed real-world attacks on small home / home office (SOHO) routers since 2020, when millions of people began working from home at the onset of the COVID 19 pandemic.
According to Black Lotus Lab, the attackers use Remote Access Trojans (RATs) to hijack the home router. The Trojans use a new malware strain called zuoRAT to gain access and then deploy into the router. Once deployed, the RATs allow attackers to upload and download files to all connected devices on the home or office network.
“The rapid shift to remote work in spring 2020 presented a fresh opportunity for threat actors to undermine traditional defense-depth protections targeting the weakest points of the new network perimeter – small office / home office (SOHO) routers. Lumen Technologies said in blog post. “Actors can use a SOHO router to maintain a low detection presence in the target network.”
ZuoRAT is resistant to testing sandbox it for further study. It attempts to contact several public servers when it first deploys. If it doesn’t get any response, it assumes it’s a sandbox and removes itself.
The malware is incredibly complex, and Lumen Technologies thinks it may have originated from a nation-state actor, not from rogue pirates. This means that a government with many resources could target SOHO routers in North America and Europe.
ZuoRAT gains remote access to SOHO routers. It constantly scans networks for vulnerable routers and attacks if found.
Once the Trojans enter, there is no limit to the damage they can do. So far they have been content to steal data – personally identifiable information (PII), financial information and usually secure business or corporate information. However, the ability exists for threatening actors to deploy other malware once they have gained access.
Blue Lotus Lab was able to track one of the zuoRAT viruses to servers in China. Apart from that, little is known about the origins of the malware.
Most common home routers appear to be vulnerable, including Cisco, Netgear, and ASUS. The best way to protect against zuoRAT infection is to regularly restart your home router. The virus cannot survive a restart that deletes the router and restores it to its factory settings.