Threat actors responsible for developing the HiatusRAT malware have resumed their operations after a period of inactivity by launching a fresh wave of attacks. These attacks, observed from mid-June to August, were launched against organizations in Taiwan, as well as a procurement system utilized by the U.S. military.
Researchers at Black Lotus Lab claim that the tactics and techniques are different from the group’s previous focus on Latin America and Europe, wherein more than 100 edge networking devices were used to secretly collect traffic and operate as a covert C2 network.
What’s new?
From June through August, Black Lotus Labs observed multiple newly compiled versions of the HiatusRAT malware in the wild. They found prebuilt binaries targeting new architectures and associated these samples with their previous report.
- This time, the HiatusRAT payloads were now hosted on different procured VPSs.
- Further analysis showed that over 91% of the inbound connections to the malicious files originated from Taiwan, with a preference for Ruckus-manufactured edge devices.
- Various Taiwanese organizations, including semiconductor manufacturers and a municipal government organization, were affected.
- Although its targets also include semiconductor and chemical manufacturers, the actors allegedly aimed to snoop on military contracts.
What does this indicate?
The audacity of threat actors is evident in their disregard for previous disclosures and their minimal efforts to change their payload servers.
- Additionally, this highlights the challenges of dealing with edge and IoT-based malware since there is currently no universal mechanism to clean up these devices.
- Moreover, the shift in the target indicates a potential strategic shift by the threat actors towards Chinese-oriented operations against U.S.-based entities.
Final words
The IOCs from this campaign are available for organizations to proactively take action in thwarting such threats. As researchers continue to monitor for new infrastructure and tactics, they have suggested relying on the latest cryptographic protocols, such as SSL and TLS, to help protect data in transit. Furthermore, customers who self-manage their routers should adhere to recommended practices, check their networks often, reboot their routers, and apply security patches and upgrades.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/285c_shutterstock_2160496255.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_285058184.jpg)
