A new and sophisticated malware, dubbed HiatusRAT, that targets various business-grade routers has emerged in the threat landscape.

What happened?

Lumen Black Lotus Labs researchers found threat actors targeting DrayTek Vigor routers that have reached end-of-life with the Hiatus malware and a variant of tcpdump, which enables packet capture.
  • At least 100 computers have been infected, predominantly in Europe and Latin America. 
  • In some cases, the malware was also found targeting routers running MIPS and ARM-based architectures.
  • The ultimate goal of the actors was to establish a covert proxy network and collect sensitive data from compromised systems.

Capabilities of HiatusRAT

Once executed, HiatusRAT performs multiple functions on compromised systems.
  • It can secretly record victims’ activities and collect system information such as MAC address, kernel version, process name, UID, and firmware version.
  • The malware also collects network information such as ifconfig command outputs and the ARP cache.  

More in detail

  • The campaign is majorly comprised of three main components: a bash script that deploys two malicious binaries, HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.
  • The tcpdump binary allows cybercriminals to monitor traffic on ports associated with email and file-transfer communications from the adjacent LAN. 
  • Researchers discovered four versions of the binary that were built for ARM, i386, MIPS64 big endian, and MIPS32 little endian.

Researchers indicate the campaign has been active since July 2022. Threat actors are maintaining a minimal footprint to limit their exposure and maintain critical points of presence.

Ending note

Researchers are still monitoring the campaign to understand the scope and intensity of the malware. As attackers continue to attack routers, organizations are advised to use VPN-based access to protect data and bolster their security posture. The use of cryptographic protocols such as SSL and TLS helps protect data in transit. Moreover, security experts can check  GitHub for additional information on IOCs associated with the campaign. 
Cyware Publisher

Publisher

Cyware