Since at least July 2022, unprecedentedly complex malware has been targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America.
Elusive Campaign, Dubbed gap It was discovered by Lumen Black Lotus Labs that it deploys two malicious binaries, a remote access Trojan called HiatusRAT, and a tcpdump variant that allows packet capture on the target device.
“Once a targeted system is infected, HiatusRAT allows the attacker to interact with the system remotely, leveraging pre-built functionality. […] It’s about turning compromised machines into covert proxies for threat actors,” the company said in a report shared with Hacker News.
“The packet capture binary allows the actor to monitor router traffic on ports related to email and file transfer communications.”
The threat cluster primarily identified end-of-life (EoL) DrayTek Vigor router models 2960 and 3900, with approximately 100 internet-exposed devices compromised as of mid-February 2023. companies, municipalities, etc.
Interestingly, this is only a small fraction of the 4,100 DrayTek 2960 and 3900 routers publicly accessible via the Internet, “attackers intentionally kept a minimal footprint to limit exposure. It increases the possibility of maintaining
Given that the affected devices are high-bandwidth routers capable of supporting hundreds of VPN connections simultaneously, its motives are suspected to spy on targets and establish stealth proxy networks.
Mark Dehus, Director of Threat Intelligence at Lumen Black Lotus Labs, said: “This helps attackers establish and maintain long-term persistence without being detected.”
The exact initial access vector used in the attack is unknown, but a successful compromise deploys a bash script that downloads and executes HiatusRAT and packet capture binaries.
HiatusRAT is feature-rich and can collect router information, running processes, connect to remote servers to fetch files, or execute arbitrary commands. It can also proxy command and control (C2) traffic through routers.
Discover the latest malware evasion tactics and defense strategies
Ready to demystify the 9 most dangerous misconceptions about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
Using compromised routers as proxy infrastructure is likely an attempt to obfuscate C2 operations, researchers say.
The findings come more than six months after Lumen Black Lotus Labs revealed an unrelated router-focused malware campaign using a new Trojan called ZuoRAT.
“The Hiatus discovery confirms that attackers continue to pursue router exploits,” said Dehus. “These campaigns demonstrate the need to protect the router ecosystem, which should be monitored, rebooted and updated regularly, while used devices should be replaced.”
