Share this article on:
A United States telco has discovered a new malware infection circulated on older routers made by the networking company DrayTek.
The novel malware — dubbed Hiatus by researchers at Lumen’s Black Lotus Labs — targets older, business-grade routers and deploys two binaries. One is the remote access trojan itself, HiatusRAT, and the other is a version of packet analyser tcpdump.
Even though the malware has been in circulation since at least July 2022, it is currently only infecting 100 or so devices. Hiatus runs on DrayTek Vigor models 2960 and 3900, which have both been discontinued by DrayTek, but can still be found for sale in stores and online.
You can even find pre-owned models on eBay. But given that Black Lotus Labs has not ascertained how the initial infection is spreading, perhaps second-hand routers of possibly unknown providence are not a good idea right now.
“The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business,” Black Lotus Labs said in a blog post.
That figure of 100 devices is pretty low, but the researchers believe that may be by design — with such a small footprint, the developers may be hoping to evade detection. There are roughly 4,100 routers in use between the two affected models.
The initial phase of the infection is a bash script that, when run on a router, retrieves the other two components.
The HiatusRAT package first checks for any other instances of malware running on a device. If it finds one, it kills the process to make sure only one instance is ever running on a single device. The malware then listens to the port to collect information about the router, which it puts into a file to send to the threat actor’s command and control infrastructure.
The information package is gathered every eight hours and sent on.
The trojan can also run a number of prebuilt functions, including loading new config details from the C2 infrastructure, spawning a remote shell, and running scripts. Two functions, in particular, are designed to hide comms from other infected machines. A tcp_forward function is “likely designed to forward beacons or exfil from another RAT on another infected machine”, while SOCKS-5 functionality can forward commands sent to a web shell.
“This would allow the threat actor to interact with another agent from a compromised IP address and more closely mimic legitimate behaviour,” Black Lotus Labs said.
“This tactic would allow the actor to circumvent some detection capabilities based on geo-fencing or connections associated with bulletproof hosting providers.”
The tcpdump part of the malware can capture packet data sent through the router, including FTP traffic, SMTP, POP3, and IMAP data. This allows the malware’s operators to gather all the emails sent through a router, as well as some file transfers.
As of writing, the malware can be found on routers in North America, Europe, and the UK, as well as Latin America. Black Lotus Labs did note, however, that it had not found any instances of Hiatus in either New Zealand or Australia.
The combination of obfuscation elements that allow the malware to operate under the radar, and the passive manner in which the malware collects data, makes Hiatus a unique threat.
“This type of agent demonstrates that anyone with a router who uses the internet can potentially be a target — and they can be used as proxy for another campaign — even if the entity that owns the router does not view themselves as an intelligence target,” Black Lotus Labs concluded.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.