A new sophisticated malware campaign called “Hiatus” has been discovered by Lumen Black Lotus Labs, targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America since at least July 2022.
The campaign deploys two malicious binaries: a remote access trojan called HiatusRAT and a variant of tcpdump to packet capture on the target device.
Once a system is infected, HiatusRAT allows the attacker to remotely interact with the system and turn it into a covert proxy to monitor router traffic on ports associated with email and file-transfer communications.
The threat cluster primarily singles out end-of-life (EoL) DrayTek Vigor router models 2960 and 3900, with around 100 internet-exposed devices compromised as of mid-February 2023.
Some of the impacted industry verticals include pharmaceuticals, IT services/consulting firms, and municipal government, among others. Interestingly, this represents only a small fraction of the 4,100 DrayTek 2960 and 3900 routers that are publicly accessible over the internet, suggesting that the threat actor may be intentionally maintaining a minimal footprint to limit their exposure.
Given that the impacted devices are high-bandwidth routers that can support hundreds of VPN connections, it’s suspected that the goal is to spy on targets and establish a stealthy proxy network.
The exact initial access vector used in the attacks is unknown, but a successful breach is followed by the deployment of a bash script that downloads and executes HiatusRAT and a packet-capture binary.
HiatusRAT is feature-rich and can harvest router information, running processes, and contact a remote server to fetch files or run arbitrary commands. It’s also capable of proxying command-and-control (C2) traffic through the router.
The use of compromised routers as proxy infrastructure is likely an attempt to obfuscate the C2 operations, according to researchers. The findings come more than six months after Lumen Black Lotus Labs also shed light on another router-focused malware campaign that used a novel trojan called ZuoRAT.
Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, said, “The discovery of Hiatus confirms that actors are continuing to pursue router exploitation.
These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted, and updated, while end-of-life devices should be replaced.”
