Saturday, July 20, 2024

HiatusRAT Malware Attack Routers to Gain Remote Access & Download Files

Lumen’s Black Lotus Labs recently witnessed that Hackers are currently targeting DrayTek Vigor router models 2960 and 3900 in a campaign known as ‘Hiatus’. 

The primary goal of hackers is to steal data from victims and establish a covert proxy network for cyberespionage purposes.

Vigor devices from DrayTek are business-class VPN routers used for remote access to corporate networks by small and medium-sized organizations.

It has been estimated that about 4,100 DrayTek routers are vulnerable on the internet as of mid-February 2023. It is estimated that this represents approximately 2% of the total number of DrayTek routers that are exposed.

There are three key components involved in this latest hacking campaign, which began in July 2022 and is still ongoing to this day:-

  • A malicious bash script
  • A malware named “HiatusRAT,” 
  • The legitimate ‘tcpdump,’

The most interesting part of the campaign is its HiatusRAT component, which gives the campaign its name in the first place. There are several purposes for which this tool is used and here they are mentioned below:-

For additional payloads downloading

On the breached device running commands 

Converting the device into a SOCKS5 proxy

Technical Analysis

HiatusRAT has infected approximately a hundred businesses mainly in the following regions:-

  • America
  • Europe
  • North America

It is not yet known how DrayTek routers were initially compromised, and even scientists at this time are unable to determine how that occurred.

The threat actors download three components to the router by deploying a bash script, and they do so after they gain access to the device. 

As part of this script, the first step is to download the HiatusRAT to ‘/database/.updata’ and run it from there. Upon detecting that a process is already running on port 8816, the malware begins listening for it and kills it.

As part of HiatusRAT’s monitoring system, the threat actor can track the status of the compromised router by sending a heartbeat POST to the C2 every eight hours.

The following are some of the industries that have been negatively impacted:-

  • Pharmaceuticals
  • IT services
  • Consulting firms
  • Municipal government

Data Collected

From the breached device, the following information is collected:

  • MAC address
  • Kernel version
  • System architecture
  • Firmware version
  • Router IP address
  • Local IP address
  • MACs of devices on adjacent LAN
  • Mount points
  • Directory-level path locations
  • Filesystem type
  • Process names
  • IDs
  • UIDs
  • Arguments


As a result of Black Lotus Labs’ reverse engineering analysis of the malware, the following features have been revealed:-

  • config: From the C2, load the new configuration.
  • shell: On the infected device, spawn a remote shell.
  • file: C2 files can be accessed, deleted, or exfiltrated.
  • executor: Retrieve a file from the C2 and execute it.
  • script: From the C2, run a script.
  • tcp_forward: Whenever TCP data is received on a host’s listening port, forward it to a forwarding address.
  • socks5: On the compromised router, set up a SOCKS v5 proxy server.
  • quit: Put an end to the execution of malware.

SOCKS is used to obfuscate network traffic and mimic legitimate behavior while forwarding data from other infected machines.

A packet-capturing tool will also be installed by the bash script when it is run. With the help of this tool, TCP ports connected to mail servers and FTP connections are monitored.

Here below we have mentioned the monitored ports:-

  • Port 21 for FTP
  • Port 25 for SMTP
  • Port 110 is used by POP3
  • Port 143 is associated with the IMAP protocol

Even though Hiatus is a small campaign in scale, the impact it has on the victims can be extremely serious. Research conducted by Lumen indicates that the threat actor has deliberately maintained a small volume of attacks in order to avoid detection.

Network Security Checklist – Download Free E-Book


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles