Security researchers have spotted a previously undocumented malware campaign that targets business-grade routers, namely DrayTek, and infects devices with two malicious binaries - the HiatusRAT malware, and a variant of the tcpdump command line utility that enables packet capture on the target device.
The observed Hiatus campaign has been focused on end-of-life DrayTek Vigor models 2960 and 3900 running an i386 architecture, according to a report from Lumen’s Black Lotus Labs. The researchers say they have found prebuilt binaries that target MIPS, i386 and ARM-based architectures.
“The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business. We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network,” Black Lotus Labs said.
The latest Hiatus campaign started in July last year, however, the researchers believe that this activity cluster predates 2022. It is estimated that around 100 devices were infected in the campaign, which represents nearly 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the internet. The researchers identified at least 100 victims, mainly located in Europe and Latin America.
Once a targeted device is infected, HiatusRAT allows the threat actor to remotely interact with the system and turn the compromised machine into a covert SOCKS5 proxy. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.
The Hiatus campaign is comprised of three main components:
A bash script that gets deployed post-exploitation and two executables retrieved by the bash script
A variant of tcpdump that enables packet capture.
The tcpdump binary allows the actor to monitor traffic on ports associated with email and file-transfer communications from the adjacent LAN.