Saturday, November 2, 2024
HomeCyber Security NewsCuttlefish 0-click Malware Hijacks Routers & Captures Data

Cuttlefish 0-click Malware Hijacks Routers & Captures Data

Published on

Malware protection

Cuttlefish is a new malware platform that has been identified to be active since at least July 2023.

This malware platform specifically targets networking equipment like enterprise-grade small office/home office routers.

The latest campaign is discovered to be ongoing from October 2023 till April 2024. 

- Advertisement - SIEM as a Service

Additionally, 99% of the malware’s targets were found to be victims within Turkey, where more than 600 unique IP addresses, mainly belonging to two telecom firms, Were uncovered.

Rest of the victims out of this Turkey region were clients of the Global Satellite phone providers and US-based data center.

The code of the malware overlaps with HiatusRAT, which was targeting victims who are Interested in the People’s Republic of China.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

However, this malware does not have the same victimology and also has additional functionalities like DNS and HTTP Hijacking for connections to Private IP space.

Technical Analysis

Cuttlefish malware is primarily designed to steal authentication details from web requests.

When the router sends these requests, the threat actor can bypass anomalous sign-in-based analytics via stolen authentication credentials.

To extract the data found in the web requests, the threat actor creates a proxy or VPN tunnel from the compromised networking equipment and uses the stolen credentials to access specific resources. 

The initial access vector of this malware campaign is still unclear. However, when exploited, the threat actor deploys a bash script on the compromised host to send the details to the C2 server. 

Malware Hijacking parameters (Source: Black Lotus Labs)

This bash script also downloads and executes Cuttlefish malware that performs a multi-step process for installing a packet filter to inspect all outbound connections alongside details of the use of specific ports, protocols, and destination IP addresses.

All of the rules and configurations are specified in the configuration file sent to the C2 server.

The malware is provided with instructions to hijack traffic to particular private IP addresses and sniff the traffic to public IP addresses to steal credentials.

As a matter of fact, compromising networking equipment provides multiple options to route the manipulation, hijack connections, employ sniffing over the traffic for stealing authentication, and gain access to the cloud ecosystem with the stolen credentials.

Malware Analysis

To explain it better, there are multiple files and functionalities present in the malware such as 

  • Bash script (Files)
  • Primary Payload, Cuttlefish (Files)
  • Retrieval of RuleSets
  • Credential Harvesting
  • Logger and Data Transmission
  • Hijack Functionality
  • VPN Functionality
  • Private Proxy Functionality
Malware campaign (Source: Black Lotus Labs)

The bash script enumerates the device and gathers information such as directory listing, contents of the /etc and /etc/config, running processes, active connections and drive mounts.

All of this data is compressed as a TAR file with the name “co.tmp.tar.gz” which is then uploaded to the C2 server.

After this exfiltration, the TAR file is deleted from the system, and the bash script downloads the trojan from the payload server and stores it in the /tmp directory with the name “.timezone.” The prefix “.” allows the threat actor to escape the “ls” command.

The primary payload, Cuttlefish, is then executed, which only binds to port 61235 to ensure that only one instance is running.

However, it will display an error message in case another process is using the port. 

After this, it will check for the .timezone file that was dropped in the last step and try to execute it with a bash command “/tmp/.timezone -a -b 5000 -z -d”.

The “.timezone” file is replaced with “.putin” in the latest version and multiple commands has been added to the malware.

If the file exists, the malware will overwrite the uuid with the contents of the file.

The RuleSet retrieval functionality sets up the secure connection to the C2 server for downloading and updating the ruleset.

The output of the payload is saved to “/tmp/config.js” which is then parsed to update “http_rule_hearttime”, “dns log status”, “script” and “http_rule_version.”

Once all the configuration is in place, the malware creates two threads in which one is for keeping the track heartbeat time and the other is for monitoring traffic moving across selected interfaces.

Furthermore, the credential harvesting functionality retrieves credentials from web requests and the VPN functionality uses an open-source project named “n2n”. However, the Hijack functionality uses the http_hijack_heartime and other commands. 

The proxy functionality was based on another open-source project “socks_proxy”. Furthermore, a complete report has been published by Black Lotus Researchers which provides detailed information about the functionalities, files and source code of the malware.

Indicators of Compromise

Payload Server and corresponding file hashes: 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...