A New Remote Access Trojan 'HiatusRAT' Emerges to Exploit Business-Grade Routers

(Image credit: iStock)

A new malware campaign known as "Hiatus" has been found by Lumen Black Lotus Labs researchers. The DrayTek Vigor models 2960 and 3900, which support VPN connections for remote employees and are perfect for medium-sized companies, are the primary targets of this campaign, which is aimed at business-grade routers. Two malicious files, including the HiatusRAT Remote Access Trojan (RAT), are released by the malware after infection.

What is a Remote Access Trojan (RAT)?

A malicious programme known as a Remote Access Trojan (RAT) allows unauthorised entry to a victim's computer or network. Usually, software exploits, social engineering techniques, or phishing emails are used to propagate RATs. Once installed, the malware allows the attacker to take direct control of the infected device and carry out a variety of tasks like stealing confidential information, editing files, or adding new malware. RATs can also be used to capture keystrokes, take screenshots, turn on the victim's camera, and listen in on their conversations. Users should take precautions to prevent the emergence of RATs, such as keeping their antivirus software updated and avoiding clicking on suspicious email attachments or downloading suspicious files.

How HiatusRAT Works:

With the help of the HiatusRAT, the compromised system can be remotely controlled to serve as a covert proxy. The actor can observe router activity on the ports connected to email and file-transfer communications by using the binary focused on packet capturing. The campaign's threat actors mainly targeted i386-based end-of-life routers, but prebuilt binaries that target MIPS, i386, and ARM-based chips were also discovered.

The HiatusRAT can stealthily record victims' activities and gather system information such as MAC address, kernel version, process name, UID, and firmware version. Additionally, the malware gathers network data from the ARP cache and the outputs of the ifconfig programme.

Three key elements make up the campaign: HiatusRAT, a bash script that distributes two malicious binaries, and a tcpdump variant that permits packet extraction on the target device. Using the tcpdump binary, cybercriminals can keep an eye on activity on ports connected to email and file-transfer communications from the neighbouring LAN. The binary had four different builds that were made for ARM, i386, MIPS64 big-endian, and MIPS32 little-endian, according to researchers.

According to researchers, the campaign has been running since July 2022. To reduce their exposure and retain key points of presence, threat actors are keeping their footprint as small as possible. At least 100 computers have been infected in the latest incident, mostly in Europe and Latin America. The malware has occasionally been discovered to target routers with MIPS and ARM-based architectures. The ultimate objective of the actors was to create a covert proxy network and collect sensitive data from compromised systems.

Concluding Note:

To determine the extent and severity of the malware, researchers are still keeping an eye on the campaign. As attackers continue to attack routers, organisations are urged to use VPN-based access to safeguard data and strengthen their security posture. Data in transit can be protected by the use of cryptographic methods like SSL and TLS. Security experts can also search GitHub for more details on the IOCs related to the operation.

# Cyber Security # Information Security # Remote Access Trojan RAT # HiatusRAT # Router Security # What is RAT # Data Protection