Description
A brand-new, highly sophisticated piece of malware called HiatusRAT preys on various routers made for business use. Two harmful files are used by the elusive campaign: the remote access trojan identified by Lumen Black Lotus Laboratories and a variant of tcpdump that permits packet collecting on the target device.
Details
Three tools are used by cybercriminals to intercept traffic: a malicious bash script, the RAT HiatusRAT, and a tcpdump variant. On compromised computers, HiatusRAT executes several operations. It can gather system data like the MAC address, kernel version, process name, UID, and firmware version as well as discreetly record its victims” activities. Moreover, the malware gathers network data via the ARP cache and the results of the ifconfig command. HiatusRAT may perform commands on the infected device, download new malicious malware, and turn the system into a SOCKS5 proxy for C2 server communication. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.
Indicators of compromise (IOCs)
Below are IOCS for the HiatusRAT malware.
New HiatusRAT router malware covertly spies on victims – AlienVault – Open Threat Exchange
Remediation
We urge the public to keep an eye out for and alert on these and any related IoCs. Moreover, we suggest that you:
Self-managed router users should adhere to recommended practices, monitor their networks frequently, reboot their routers, and apply security patches and upgrades. To ensure patching against known vulnerabilities, end-of-life devices should be replaced with models that are supported by the vendor.
To safeguard data and improve their security posture, businesses should think about complete Secure Access Service Edge (SASE) or comparable solutions that use VPN-based access.
To assist secure data in transit, users should activate the most recent cryptographic protocols. For example, they should only use email services that use SSL and TLS. Secure Simple Mail Transfer Protocol (specified in RFC 2821 and using the feature which terminates if a secure connection can”t be formed), encrypted IMAP, and encrypted POP3 are examples of more secure email systems (defined in RFC 2595 which utilized ports 993 & 995).
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New HiatusRAT Malware Hits Business-Grade Routers.pdf
References
Alienvault – Open Threat Exchange (n.d) AlienVault Open Threat Exchange. Retrieved from Alien Vault
https://otx.alienvault.com/pulse/6408a95998f35d1cc24b8bb1
New HiatusRAT malware targets business-grade routers to covertly spy on victims (2023) Retrieved from The Hacker News.
https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.html
Toulas, B. (2023) New malware infects business routers for data theft, surveillance, Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/new-malware-infects-business-routers-for-data-theft-surveillance/