ZuoRAT Malware Is Targeting Routers

Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets:

So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

More details in the article.

Posted on June 30, 2022 at 3:04 PM9 Comments


Ted June 30, 2022 5:22 PM

Zuo as in “left” in Chinese, eh?

SOHO routers are interesting targets. Is everyone updating and periodically rebooting their routers? How about performing factory resets?

Seeing as the pandemic forced more people to work remotely, I’d have to think these types of security concerns were increasingly on the radar for more people and organizations. I hope that Black Lotus Labs is able to share the IoCs and threat intelligence across platforms and providers.

Even though such complex malware could probably be used broadly, I’m also curious about the profile of the 80 identified targets.

lurker June 30, 2022 7:52 PM

So how does this thing get into its victims? Oh, existing CVEs and badly protected passwords. Nothing to see here, move along please . . .

Clive Robinson June 30, 2022 8:02 PM

@ ALL,

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant,

No it’s not particularly significant.

The MIPS architecture like that of ARM has been around for quite a while and is capable of supporting several flavours *nix OS, as well as RT-OS suitable for somewhat sophisticated machinery effectively.

There is MIPS software around for Wireless routers and the like (see OpenWRT project)

I suspect that a big chunk of the software is not as “custom” as some people think, or claim.

This dates back a couple of years,


Look at the MIPS section.

The fact is MIPS is a very cheap core for IoT and WiFi “System on a Chip”(SoC) devices and uses quite a bit less electrical power than equivalent ARM SoC’s.

ASM level programing wise I prefere MIPS to ARM, but across the great divide at C and up who cares.

Adeline Russell June 30, 2022 8:46 PM

@ Clive Robinson, Ted,

No it’s not particularly significant.

Apart from the software maybe not being very special, it’s something that should be mostly irrelevant to organizations. We’ve been saying for the last 30+ years that the network should not be trusted, and anyone who thought otherwise should’ve woken up when people started taking work laptops to public wi-fi hotspots. Security policies should assume the network is compromised, quite possibly by something/someone more interesting than “standard” untargeted malware.

Quantry July 4, 2022 10:41 AM

From the article, this source:

Why are ports 9000, 55555, 55556, 55558 and 39500 even open for the average small business?

And if “ZuoRAT can’t survive a reboot” is this an inference that small businesses leave their networks up 24×7? Why expand exposure if the goal is to shrink it? Surely your people go to bed with zoned predictability. Even 3 hours is a 10% opportunity reduction.

The really hateful thing, incidentally, is that some of those routers require a network connection before you CAN configure during a reboot. By design! WT..?

I must be dense.

Clive Robinson July 4, 2022 1:35 PM

@ Adeline Russell, Ted, ALL,

Security policies should assume the network is compromised, quite possibly by something/someone more interesting than “standard” untargeted malware.

Back last century for a little while people did start to consider “the network is compromised”. The Morris Worm had kind of poped the “naivety bubble” surrounding the fledgling DARPA- Net –later Internet– in Nov 1988. Back then things were mostly *nix, using the BSD stack, and the worm caused people to start to think and act…

At this time Microsoft had still done next to nothing with networking and it was other companies like Novel that were doing Workplace LAN with only later crude WAN connectivity for eye wateringly expensive “leased lines”.

PC’s were not realy talking to each other let alone the world. It would take the work of Radio Amateur KA9Q, Phil Kaun and his AX25 stack[1] to change all of that in the UK which was “leading the world” in many respects and eventually forced Microsoft to “borrow the BSD network stack”. Only MS used the “old code”… Which is why eventually the first “Teardrop attack” was so effective.

But even today people still do not think sensibly about “communications networks” other than “inside and outside” and “Network perimeters”… Basically the defenders only think of a “gateway router and firewall” some thirty years later. The attackers however see things differently, and advantageously. You have SigInt agencies tucking themselves away in the router upstream of the gateway router unseen by defenders, just vanpiring up all the traffic they can. But you also have “Advanced Persistant Threat”(APT) types from the other parys of the “Intelligence Communities”(IC) burrowing in past the firewall and finding no opposition to their behaviours. Which has enabled the crooks to move in with ransomware etc…

But as I note from time to time, one of the first questions I ask is,

“Show me the valid business case for that PC to be connected to external communications?”

And in most cases still, it boils down to “It’s a good idea, according to…” or some such other MBA mantra nonense.

The argument is kind of “SMS was a surprise success” we don’t know why but it’s obviously good. Then “Email was a surprise success” Why? we’ve no idea on that either. Instant Messaging that was great as well. So “Social Media give me some of that it has to be a success, because history…” so again no idea, but “Hey lets jump on the bandwagon, it’s got to be good…”.

I suspect some others see this as at best slightly odd behaviour as well. But that unreasoned upside thinking” of “Think of the profits” or similar gets to run. Whilst downside or cautious thinking of “Don’t mention the Emperor’s ass is on display” or “Don’t kill the Golden Goose” or similar does not make you a “team player”…

[1] The KA9Q NOS was based on the European X25 WAN protocols that were actually going global at the time (as they were circuit switched). As such X25 was often hidden out of sight in the “physical layer” on which other networks were layered. In fact IP was layered upon X25 much as it was on the Cambridge Ring, Oh and that awful Ethernet and that IBM LAN (which nobody can remember ;-). IP in turn carried UDP and TCP layered upon it and so on…


Chris Drake July 15, 2022 11:43 PM

I registered an expired malware domain, and discovered that the storm of traffic I got included pre-infection router traffic – at the rate of many dozens per minute. In 100% of the cases, if I contacted the management port (80, or 8080, or 443, or 22, or 23, or whatever*) I was able to log in as administrator using default credentials.

  • I found the ports initially by scanning.
  • I found the default credentials by using the login banner for google searches.

In every case, it took about 1 minute before someone/something else logged in and changed the password. BIOS updates were an option in all cases.

I wrote a script to automate changing the passwords to random junk (to block the hackers).

I Contacted the police about this – they told me to stop my script, because I was technically breaking the law.

Rebuilding firmware is easy – you don’t need to be a “sophisticated actor” to do that – toolchains and examples are everywhere, and for the script-kiddies, so are prebuilt binaries for plenty of services.

So many stupid people in the world…

SpaceLifeForm July 16, 2022 2:11 AM

@ Chris Drake

Listen to what the Police told you.

Not only are you wasting your time and effort, you may actually be creating problems for an ongoing investigation. The machines are likely backdoored and have a reverse shell, so changing passwords is not going to stop the perps. As you saw, someone is watching the traffic closely.

I would contact the FBI and give them the domain so they can monitor.

Don’t mess with it.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.