A new malware called HiatusRAT infects routers to spy on its targets, mainly in Europe and the US Find out which router models are most commonly attacked and how to protect yourself against this security threat.
As before exposedrouters can be used by threat actors as efficient locations to install malware, common Cyber espionage. Routers are often less secure than standard devices and often use modified versions of existing operating systems. Therefore, targeting routers can be interesting for attackers, but more difficult to compromise and use than a normal endpoint or server.
Lumen’s Black Lotus Labs has exposed new malware targeting routers in a campaign called Hiatus by the researchers.
Jump to:
What is the Hiatus malware campaign?
The Hiatus campaign mainly focuses on DrayTek Vigor router models 2960 and 3900, which have an i386 architecture. These routers are mostly used by mid-sized companies, as the router capabilities support several hundred employee VPN connections.
The researchers also found other malicious binaries targeting MIPS and ARM-based architectures.
The initial attack vector remains unknown, but once the attackers gain access to the targeted routers, they drop a bash script. When that bash script is executed, it downloads two additional files: the HiatusRAT malware and a variant of the legitimate tcpdump tool, which enables network packet capture.
Once those files are executed, the attackers have control over the router and can download files or run arbitrary commands, intercept the infected device’s network traffic, or use the router as a SOCKS5 proxy device, which can be used for further compromise or to attack other companies.
HiatusRAT malware
When the RAT starts, it checks if port 8816 is being used. If the port is used by a process, it kills it and opens a new listener on the port, ensuring that only one copy of the malware is running on the device.
It then collects information about the compromised device, such as system information (such as kernel version, MAC address, architecture type, and firmware version), network information (network interface configuration and local IP addresses), and file system information (mount points, directory listing, file system type, and virtual memory file system). Moreover, it collects a list of all running processes.
After collecting all that information, the malware sends it to an attacker-controlled heartbeat C2 server.
The malware has more capabilities, such as updating the configuration file, providing a remote shell to the attacker, reading/deleting/uploading files, downloading and executing files, or enabling SOCKS5 packet forwarding or plain TCP forward packets.
Capturing network packets
Aside from the HiatusRAT, the threat actor also deploys a variant of the legitimate tcpdump tool, which can capture network packets on the compromised device.
The bash script used by the threat actor showed a particular interest in connections on ports 21, 25, 110, and 143, which are mostly for file transfer protocols and email transfers (SMTP, POP3, and IMAP email protocols) .
The script allows for more port sniffing, if needed. If used, the captured packets are sent to an upload C2, different from the heartbeat C2, after the packet intercept reaches a certain length.
This allows the threat actor to passively intercept entire files transferred via the FTP protocol or emails passing through the infected device.
Campaign targeting
Black Lotus Labs identified approximately 100 unique IP addresses communicating with the C2 servers controlled by the threat actor as of July 2022. These addresses can be divided into two categories:
- Medium-sized companies that have their own email servers and sometimes have IP address ranges on the Internet that can identify them. Companies in the pharmaceutical industry, IT services or consultancy firms and a municipal government, among others, could be identified. The researchers suspect that attacking IT companies is a choice to enable downstream access to customers’ environments.
- IP ranges of internet service provider customers used by targets.
The geographic spread of the targets shows a strong interest in UK companies and some other European countries, in addition to North America (Image A).
Image A
According to the researchers, about 2,700 DrayTek Vigor 2960 routers and 1,400 DrayTek Vigor 3900 routers are connected to the Internet. Infecting only about 100 of those routers makes the campaign small and difficult to detect; the fact that only 100 routers out of thousands are affected highlights the possibility that the threat actor is targeting only certain targets and is not interested in larger targets.
4 steps to protect against the Hiatus malware threat
1. Reboot routers regularly and keep their firmware and software patched to prevent them from being compromised by common vulnerabilities.
2. Implement security solutions with capabilities to log and monitor the behavior of the routers.
3. End-of-life devices should be removed and replaced with supported models that can be upgraded for maximum security.
4. All traffic passing through routers must be encrypted so that even interception cannot abuse it.
Read more: Intrusion Detection Policy (Tech Republic Premium)
Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.
