Cuttlefish 0-click Malware Hijacks Routers & Captures Data

Cuttlefish is a new malware platform that has been identified to be active since at least July 2023.

This malware platform specifically targets networking equipment like enterprise-grade small office/home office routers.

The latest campaign is discovered to be ongoing from October 2023 till April 2024. 

Additionally, 99% of the malware’s targets were found to be victims within Turkey, where more than 600 unique IP addresses, mainly belonging to two telecom firms, Were uncovered.

Rest of the victims out of this Turkey region were clients of the Global Satellite phone providers and US-based data center.

The code of the malware overlaps with HiatusRAT, which was targeting victims who are Interested in the People’s Republic of China.

However, this malware does not have the same victimology and also has additional functionalities like DNS and HTTP Hijacking for connections to Private IP space.

Technical Analysis

Cuttlefish malware is primarily designed to steal authentication details from web requests.

When the router sends these requests, the threat actor can bypass anomalous sign-in-based analytics via stolen authentication credentials.

To extract the data found in the web requests, the threat actor creates a proxy or VPN tunnel from the compromised networking equipment and uses the stolen credentials to access specific resources. 

The initial access vector of this malware campaign is still unclear. However, when exploited, the threat actor deploys a bash script on the compromised host to send the details to the C2 server. 

This bash script also downloads and executes Cuttlefish malware that performs a multi-step process for installing a packet filter to inspect all outbound connections alongside details of the use of specific ports, protocols, and destination IP addresses.

All of the rules and configurations are specified in the configuration file sent to the C2 server.

The malware is provided with instructions to hijack traffic to particular private IP addresses and sniff the traffic to public IP addresses to steal credentials.

As a matter of fact, compromising networking equipment provides multiple options to route the manipulation, hijack connections, employ sniffing over the traffic for stealing authentication, and gain access to the cloud ecosystem with the stolen credentials.

Malware Analysis

To explain it better, there are multiple files and functionalities present in the malware such as 

• Bash script (Files)
• Primary Payload, Cuttlefish (Files)
• Retrieval of RuleSets
• Credential Harvesting
• Logger and Data Transmission
• Hijack Functionality
• VPN Functionality
• Private Proxy Functionality

The bash script enumerates the device and gathers information such as directory listing, contents of the /etc and /etc/config, running processes, active connections and drive mounts.

All of this data is compressed as a TAR file with the name “co.tmp.tar.gz” which is then uploaded to the C2 server.

After this exfiltration, the TAR file is deleted from the system, and the bash script downloads the trojan from the payload server and stores it in the /tmp directory with the name “.timezone.” The prefix “.” allows the threat actor to escape the “ls” command.

The primary payload, Cuttlefish, is then executed, which only binds to port 61235 to ensure that only one instance is running.

However, it will display an error message in case another process is using the port. 

After this, it will check for the .timezone file that was dropped in the last step and try to execute it with a bash command “/tmp/.timezone -a -b 5000 -z -d”.

The “.timezone” file is replaced with “.putin” in the latest version and multiple commands has been added to the malware.

If the file exists, the malware will overwrite the uuid with the contents of the file.

The RuleSet retrieval functionality sets up the secure connection to the C2 server for downloading and updating the ruleset.

The output of the payload is saved to “/tmp/config.js” which is then parsed to update “http_rule_hearttime”, “dns log status”, “script” and “http_rule_version.”

Once all the configuration is in place, the malware creates two threads in which one is for keeping the track heartbeat time and the other is for monitoring traffic moving across selected interfaces.

Furthermore, the credential harvesting functionality retrieves credentials from web requests and the VPN functionality uses an open-source project named “n2n”. However, the Hijack functionality uses the http_hijack_heartime and other commands. 

The proxy functionality was based on another open-source project “socks_proxy”. Furthermore, a complete report has been published by Black Lotus Researchers which provides detailed information about the functionalities, files and source code of the malware.

Indicators of Compromise

Payload Server and corresponding file hashes: 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide