Remote Access Trojan 'HiatusRAT' Targets Router Firmware
Researchers with Lumen Black Lotus Labs discovered a new malware campaign that they have named "Hiatus". This campaign targets business-grade routers, mainly the DrayTek Vigor models 2960 and 3900, which can support VPN connections for remote workers and are ideal for medium-sized businesses. Once infected, the malware deploys two malicious binaries - a Remote Access Trojan (RAT) known as HiatusRAT.
The HiatusRAT allows the attackers to remotely interact with the infected system and convert it into a covert proxy. The binary focused on packet capturing allows the actor to monitor router traffic on the ports associated with email and file-transfer communications. The threat actors behind the campaign have primarily targeted end-of-life routers running an i386 architecture, but prebuilt binaries that target MIPS, i386, and ARM-based chips were also uncovered.
Lumen Black Lotus Labs® has identified at least 100 infected victims, mainly in Europe and Latin America, using proprietary telemetry from the Lumen global IP backbone. The latest version of the malware became active in the middle of 2022. The campaign is suspected to be targeting data collection and establishing a covert proxy network.
The Hiatus campaign is made up of three components: a bash script, HiatusRAT, and a variant of tcpdump that enables packet capture. HiatusRAT serves two purposes - to remotely interact with the infected device and to act as a SOCKS5 proxy device on the router. This enables the actor to proxy C&C traffic through the router to obfuscate command and control from an additional agent elsewhere.
What is a Remote Access Trojan?
A Remote Access Trojan (RAT) is a type of malicious software that provides unauthorized access to a victim's computer or network. RATs are usually spread via phishing emails, social engineering tactics, or software exploits. Once installed, the attacker gains remote control over the compromised device and can perform various actions such as stealing sensitive data, modifying files, or installing additional malware. RATs can also be used to spy on the victim's activities, record keystrokes, take screenshots, and turn on the victim's camera and microphone. RATs are considered a severe threat to privacy and security, and users should take steps to prevent their installation, such as keeping their antivirus software up to date and avoiding suspicious email attachments or downloads.