Skip to main content
  1. Home
  2. Computing
  3. News

Oh great, new malware lets hackers hijack your Wi-Fi router

Nathan Drescher
By

As if you didn’t already have enough to worry about, a new report finds hackers are targeting home Wi-Fi routers to gain access to all your connected devices.

The report comes from Black Lotus Lab, a security division of Lumen Technologies. The report details several observed real-world attacks on small home/home office (SOHO) routers since 2020 when millions of people began working from home at the start of the COVID 19 pandemic.

a faceless hacker in a black hoodie in front of a computer screen with lines of code on it
Image used with permission by copyright holder

According to Black Lotus Lab, the attackers use Remote Access Trojans (RATs) to hijack a home’s router. The trojans use a new malware strain called zuoRAT to gain access and then deploy inside the router. Once deployed, the RATs allow attackers to upload and download files to all the connected devices on the home or office network.

Related

“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — small office/home office (SOHO) routers.” Lumen Technologies said in a blog post. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network.”

Recommended Videos

ZuoRAT is resistant to attempts to sandbox it for further study. It attempts to contact several public servers when it first deploys. If it doesn’t receive any response, it assumes it has been sandboxed and deletes itself.

The malware is incredibly sophisticated, and Lumen Technologies believes it may originate from a nation-state actor, not rogue hackers. This means a government with a lot of resources could be targeting SOHO routers in North America and Europe.

ZuoRAT gains remote access to SOHO routers. It is constantly scanning networks for vulnerable routers and attacks if one is located.

Once the trojans are in, there’s no limit to the damage they can do. So far, they’ve been content with stealing data — personal identifiable information (PII), financial information, and normally secure business or corporate information. However, the ability is there for threat actors to deploy other malware once they’ve gained access.

Blue Lotus Lab was able to trace one of the zuoRAT viruses to servers in China. Other than that, little is known about the origins of the malware.

Most common household routers seem to be vulnerable, including Cisco, Netgear, and ASUS.  The best way to protect against a zuoRAT infection is to regularly reboot your home router. The virus cannot survive a reboot, which wipes the router and restores it to its factory settings.

Editors' Recommendations

Topics
Nathan Drescher
Nathan Drescher
Computing Writer
Nathan Drescher is a freelance journalist and writer from Ottawa, Canada. He's been writing about technology from around the…
This Wi-Fi security flaw could let drones track devices through walls
Professor Ali Abedi flying Wi-Peep standing against brick wall.

A research team from the University of Waterloo has attached a device to a drone that can use vulnerabilities in Wi-Fi networks to see through walls.

Imagine intruders being able to track people by the devices they have on them or find weak spots in their homes. This alarming possibility has been proven by a device called Wi-Peep, which is essentially $20 of easily-purchasable hardware, an off-the-shelf quadcopter, and the work of Dr. Ali Abedi and his team at the University of Waterloo.

Read more
Hackers are infiltrating news websites to spread malware
A black fedora rests on top of newspapers infected with spreading green lines..

Some alarming news broke today that hundreds of U.S. news websites are unwittingly playing a big role in a new malware campaign that's disguised as a Chrome browser update. This is quite a devious attack method since it's considered an important security practice to update your browser as soon as possible.

The way hackers are delivering the malware is also clever. It’s coming via an advertising network that also supplies video content to newspaper websites across the nation. It’s difficult to identify and shut down this attack because it is applied intermittently. According to a tweet by the security research team Threat Insight, the JavaScript code is being changed back and forth from the normal harmless ad delivery script to the one that includes the hacker code that shows a false update alert.

Read more
This new malware is targeting Facebook accounts – make sure yours is safe
Facebook logo appears with a hooded figure over a cracked blue background.

In the ongoing barrage of cyberattacks, Facebook users are being targeted by a new version of the Ducktail malware that originally surfaced in July. The first implementation was specifically aimed at Facebook Business accounts, but it has recently become a more widespread danger.

The latest version of Ducktail collects any and all Facebook data available on an infected computer. If it happens to be a business account, payment methods could be discovered, putting your money at risk. Furthermore, Facebook Business data might include billing information and cycles, which could be used to help disguise unauthorized purchases.

Read more