7 March 2023

New HiatusRAT router malware covertly spies on victims


New HiatusRAT router malware covertly spies on victims

Security researchers have spotted a previously undocumented malware campaign that targets business-grade routers, namely DrayTek, and infects devices with two malicious binaries - the HiatusRAT malware, and a variant of the tcpdump command line utility that enables packet capture on the target device.

The observed Hiatus campaign has been focused on end-of-life DrayTek Vigor models 2960 and 3900 running an i386 architecture, according to a report from Lumen’s Black Lotus Labs. The researchers say they have found prebuilt binaries that target MIPS, i386 and ARM-based architectures.

“The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business. We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network,” Black Lotus Labs said.

The latest Hiatus campaign started in July last year, however, the researchers believe that this activity cluster predates 2022. It is estimated that around 100 devices were infected in the campaign, which represents nearly 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the internet. The researchers identified at least 100 victims, mainly located in Europe and Latin America.

Once a targeted device is infected, HiatusRAT allows the threat actor to remotely interact with the system and turn the compromised machine into a covert SOCKS5 proxy. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.

The Hiatus campaign is comprised of three main components:

A bash script that gets deployed post-exploitation and two executables retrieved by the bash script

  • HiatusRAT

  • A variant of tcpdump that enables packet capture.

  • The HiatusRAT

The tcpdump binary allows the actor to monitor traffic on ports associated with email and file-transfer communications from the adjacent LAN.

More technical details on this campaign can be found in the Black Lotus Labs report. Additional Indicators of Compromise related to Hiatus are available here.

Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024