Malware Highlight: ZuoRAT

Malware Highlight: ZuoRAT

A new, remarkably complex malware program has been hitting routers throughout North America and Europe recently, according to a recent article from Wired: "researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek." You may even own a router belonging to one of these brands.

The program belongs to a certain category of malware called Trojans. What's more, the fact that it attacks routers, rather than discrete devices, amplifies its ability to spread harm. Let's take a look at this new threat.

What's a Trojan?

A Trojan, whose moniker is derived from the famous Trojan horse of Greek mythology, is a specific type of malware that masquerades as something else in order to prompt a computer user into downloading it or activating it. This can take many forms, such as an email attachment that will download the program when opened or a conspicuously placed ad on a social media feed.

Often the programs themselves don't cause harm. Rather, they give permission to enter a person's computer to an outside actor, i.e. a cyber criminal, who then does the real damage. Phishing schemes and ransomware attacks, for instance, may use Trojans to gain access to someone else's network or information.

Thankfully, Trojans have been around for a while, meaning that many security products protect against their most common variants. In addition to using common anti-malware programs, other security protocols, like VPNs, regular operating system updates and cautious internet behavior (like not opening attachments from strange emails) are effective at preventing infiltration by common Trojans.


This new Trojan is different, though. Rather than attacking a single computer or device, this Trojan embeds itself into a network router, which is responsible for handling the internet connections for multiple devices. This new Trojan, dubbed ZuoRAT, can then collect information about other devices on the network. Even more concerning is its ability to do it without revealing itself, which, according to Dan Goodin from Wired, "is the hallmark of a highly sophisticated threat actor."

Once it's collected information on the devices in the network, the hacker who installed the Trojan can then use that information to infect those devices with other malware that can do actual damage.

Luckily, there's a pretty easy way to get rid of ZuoRAT--turn off your router. Goodin writes that "[s]imply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset." A factory reset not only restarts a device but it also deletes any stored data and resets the router back to the base state it was in when you took it out of the box. Goodin's quick to add a caveat though. Any device on the network that has been infected with other kinds of malware as the result of the initial ZuoRAT infection will need to be cleaned up on its own.

If you're worried about sophisticated new security threats or if you need help cleaning up some infected hardware, give Titan Tech a call today to set up a free consultation.

And join us next week for more tech news.