Friday, June 21, 2024
HomeCyber CrimeZuoRAT Malware with Hallmarks of a State-Backed Threat Actor

ZuoRAT Malware with Hallmarks of a State-Backed Threat Actor


Black Lotus Labs recently caught wind of a sophisticated effort that could have been run by a state-sponsored group. ZuoRAT, a multistage RAT created specifically for small office/home office (SOHO) routers, is being distributed as part of the campaign.


Operational data for ZuoRAT

An very focused effort targeting North American and European organisations is represented by ZuoRAT and the associated activities.

The campaign targets a variety of SOHO routers made by NETGEAR, ASUS, Cisco, and DrayTek.

With the aid of an authentication bypass exploit script, the malware is installed on a router after exploiting known vulnerabilities (CVE-2020-26878 and, in certain circumstances, CVE-2020-26879).

This effort makes use of third-party infrastructure situated in China, such as the Tencent platform and Alibaba’s Yuque platform, for covert command and control infrastructure.

Essential elements

It looks like ZuoRAT is a significantly altered variant of the Mirai botnet. Auto-run upon execution (the fundamental functionality) and explicitly integrated exportable routines make up its features (auxiliary commands).

The basic functionality component enables packet capture of network traffic, gathers data about the router and LAN, and transmits the data back to the C2.

The auxiliary commands concentrate on the LAN enumeration capability, which gives the actor more targeting data for the LAN environment, ensuing DNS and HTTP hijacking capabilities, persistence and agent maintenance, and attack techniques that are typically challenging for defenders to identify.

The Windows loader was used by the ZuoRAT malware campaign to get a remote resource and run it on the host computer. It was also utilised to load one of the second-stage agents that was completely operational.



The ZuoRAT capabilities suggest to a highly skilled player who may have been hiding out on the periphery of targeted networks for years. Organizations should make sure routers are patched and that they are using the most recent software versions as mitigating measures.

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us