New Hiatus Malware Targets Business-Grade Routers to Spy on Victims, says Lumen Black Lotus Labs

Recently, Lumen Black Lotus Labs revealed a new and complex malware campaign that is targeting business-grade routers in Latin America, Europe, and North America. Dubbed as "Hiatus", this malware campaign deploys two malicious binaries: HiatusRAT and a variant of tcpdump.

Once the targeted system is infected, HiatusRAT enables the attacker to remotely interact with the system, convert it into a covert proxy, and monitor router traffic on ports associated with email and file-transfer communications. Hiatus primarily targets end-of-life (EoL) DrayTek Vigor router models 2960 and 3900.

The malware campaign has compromised around 100 internet-exposed devices in mid-February 2023. However, this represents only a small fraction of the 4,100 DrayTek 2960 and 3900 routers that are publicly accessible over the internet, leading to the possibility that "the threat actor is intentionally maintaining a minimal footprint to limit their exposure." As the targeted devices are high-bandwidth routers capable of supporting hundreds of VPN connections simultaneously, the goal is likely to spy on targets and establish a stealthy proxy network. According to Mark Dehus, the Director of Threat Intelligence for Lumen Black Lotus Labs, these devices typically live outside the traditional security perimeter and are not monitored or updated regularly. Therefore, they are an ideal target for attackers to establish and maintain long-term persistence without detection. The initial access vector used in the attacks is still unknown. However, the successful breach is followed by the deployment of a bash script that downloads and executes HiatusRAT and a packet-capture binary. HiatusRAT can harvest router information, running processes, contact a remote server to fetch files, or run arbitrary commands. It's also capable of proxying command-and-control (C2) traffic through the router. The use of compromised routers as proxy infrastructure is an attempt to obfuscate the C2 operations, the researchers said.

This discovery comes after Lumen Black Lotus Labs revealed an unrelated router-focused malware campaign that used a novel trojan called ZuoRAT. "The discovery of Hiatus confirms that actors are continuing to pursue router exploitation," Dehus said. "These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted, and updated, while end-of-life devices should be replaced."