ZuoRAT Malware Detection

A stealthy fly-under-the-radar remote access trojan (RAT) dubbed ZuoRAT has been compromising a relatively easy target – small office/home office (SOHO) routers. The malware has been in use since 2020, mainly affecting remote workers based in the U.S. and Western Europe with access to corporate networks. Researchers warn that the observed tactics, techniques and procedures (TTPs) point to an elaborate threat actor running the campaign, with a high probability of being state-subsidized by China.

Detect ZuoRAT Malware

To detect ZuoRAT malware within your system, use the following Sigma rules provided by the top-tier SOC Prime Threat Bounty developers Kaan Yeniyol and Osman Demir:

Possible Initial Access by ZuoRAT Hijacks (via proxy)

Suspicious ZuoRAT Malware Hijacks SOHO Routers (via file_event)

These detection rules are aligned with the MITRE ATT&CK® framework v.10, addressing the Initial Access and Discovery tactics represented by the Exploit Public-Facing Application (T1190) and File and Directory Discovery (T1083) techniques.

SOC Prime’s Threat Bounty Program welcomes both experienced and aspiring threat hunters to share their Sigma-based detection content in exchange for expert coaching and steady revenue.

Check out the Sigma rules that identify ZuoRAT attacks – the Detect & Hunt button will take you to a wide library of dedicated rules tailored for 25+ SIEM, EDR, and XDR solutions. The Explore Threat Context unlocks the privileges of registered user access to all SOC professionals without an account on a Detection as Code platform.

Detect & Hunt Explore Threat Context

ZuoRAT Campaign Analysis

The COVID-19 pandemic posed many issues for security practitioners. A rich pool of remote work-induced security risks has been steadily increasing for the last few years and is here to stay. One of the recently disclosed operations leveraging the conditions of the remote workplace is the attacks with multistage remote access trojan ZuoRAT, a modified version of the Mirai botnet, launched on the routers of vendors like Cisco, ASUS, DrayTek, and NETGEAR.

Security analysts from the Lumen’s Black Lotus Labs released a report detailing their research into a campaign utilizing compromised SOHO routers to intercept data sent by the infected device and take over communications throughout the network in order to gain access to other devices on the LAN. Adversaries move laterally across the compromised network and deploy additional malicious payloads, such as Cobalt Strike beacons, CBeacon and GoBeacon, achieving the ability to run any commands on a targeted device or in any process.

The research data suggests that security violations with this challenging form of malware started back in 2020, around the beginning of the first wave of pandemic-related restrictions and the rapid increase of the remote workforce. In order to remain undetected, the malware operators employed router-to-router communication and the rotation of compromised proxies.

The uptick in numbers and severity of cyber attacks on remote workers worldwide creates an expanded attack surface, putting at risk more business each day. To gear your company up with the best security practices, register for the SOC Prime Platform.