Lumen’s Black Lotus Labs recently witnessed that Hackers are currently targeting DrayTek Vigor router models 2960 and 3900 in a campaign known as ‘Hiatus’.
The primary goal of hackers is to steal data from victims and establish a covert proxy network for cyberespionage purposes.
Vigor devices from DrayTek are business-class VPN routers used for remote access to corporate networks by small and medium-sized organizations.
It has been estimated that about 4,100 DrayTek routers are vulnerable on the internet as of mid-February 2023. It is estimated that this represents approximately 2% of the total number of DrayTek routers that are exposed.
There are three key components involved in this latest hacking campaign, which began in July 2022 and is still ongoing to this day:-
The most interesting part of the campaign is its HiatusRAT component, which gives the campaign its name in the first place. There are several purposes for which this tool is used and here they are mentioned below:-
For additional payloads downloading
On the breached device running commands
Converting the device into a SOCKS5 proxy
HiatusRAT has infected approximately a hundred businesses mainly in the following regions:-
It is not yet known how DrayTek routers were initially compromised, and even scientists at this time are unable to determine how that occurred.
The threat actors download three components to the router by deploying a bash script, and they do so after they gain access to the device.
As part of this script, the first step is to download the HiatusRAT to ‘/database/.updata’ and run it from there. Upon detecting that a process is already running on port 8816, the malware begins listening for it and kills it.
As part of HiatusRAT’s monitoring system, the threat actor can track the status of the compromised router by sending a heartbeat POST to the C2 every eight hours.
The following are some of the industries that have been negatively impacted:-
From the breached device, the following information is collected:
As a result of Black Lotus Labs’ reverse engineering analysis of the malware, the following features have been revealed:-
SOCKS is used to obfuscate network traffic and mimic legitimate behavior while forwarding data from other infected machines.
A packet-capturing tool will also be installed by the bash script when it is run. With the help of this tool, TCP ports connected to mail servers and FTP connections are monitored.
Here below we have mentioned the monitored ports:-
Even though Hiatus is a small campaign in scale, the impact it has on the victims can be extremely serious. Research conducted by Lumen indicates that the threat actor has deliberately maintained a small volume of attacks in order to avoid detection.
Network Security Checklist – Download Free E-Book
PortSwigger released a brand-new version of Burp Suite 2023.6 that is intended for both Professional…
The North Korean APT group Kimsuky has been running a social engineering operation that targets experts…
Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine…
Google has recently taken prompt security measures by releasing a security update for its Chrome…
A major MOVEit Hack has impacted many businesses, notably the BBC, British Airways, Boots, and…
A Vulnerability Scanner Tools is one of the essential tools in IT departments Since vulnerabilities…