
Hiatus.RAT Data Thieves
A new malware campaign, Hiatus, targets business-grade routers to spy on Latin America, Europe, and North America victims. The campaign deploys two malicious binaries, a remote access trojan called HiatusRAT, and a variant of tcpdump that can capture packet capture on the target device.
Indicators of Compromise
Hashes (24)
3b1eb827895f4943de20274dbb8f31dcff8e26ec2573f482abbd1a8fdd80fc819690a3e310ed96073035c4cc3436fa9c0932a5b7dcc829c03f229c25d7dc5031ffca0c6ca91ce7070c3e5e41d7c983a2cb01eb90c2c968a1d1e17136ba8609ff1eafb9eb36f6045fac9289df716ea9f3f657fd9c560660bfc70bebd0e07c1d42025f9a3a15960d2d7584ff90922e1c69f33c00508de4caa8b05a1341142b31f1661dd56f6e21e42cfb93fc2ab77678b040dc673b88af31d78fafe91700c7241337fc5db2da1cd4b75787d8c3079ca4b7709bf788e7e2021e525c04e97a0e2b38243f11debec9e100cc51fb155ec68cd73e3ca516b2518bc3307f5381bcc52b20c55a8c027482ce281903f4b6b0b370a6efc7252c644fb8fb4f4ff8e7ff90fdbc92357ef322ff6af7256397267d1919cbb78bfdcccb6e5e394877bdc4fa80ad8e38600d1e0f3e9fdfbce2a6658ba050347281842345c5dd5e07cc70b287cbed13ef965c5a9815e1e2dcb7bfa4664beafdc7b57b5af3a8dd122a770ad9d8e34b71323f026dcbe6b70b67e415dba80c9729984976eeb6b20a48a5dae8b10e4dc7246eb7357c0492960150286418e2a2f18513f50e925630bf2e6235422143f2e6c6+4 moreIPv4 (4)
66.42.108.185149.248.0.20346.8.113.227104.250.48.192Notes
<div><span style="color: var(--q-dark);">Hiatus is a complex and elusive malware campaign that targets business-grade routers in Latin America, Europe, and North America. It has been in operation since at least July 2022 and deploys two malicious binaries, including a remote access trojan called HiatusRAT and a variant of tcpdump. Once a system is infected, HiatusRAT enables remote interaction and converts the compromised machine into a covert proxy for the threat actor. The packet-capture binary allows the actor to monitor router traffic on ports associated with email and file-transfer communications.</span><br></div><div><br></div><div>The threat cluster primarily targets end-of-life DrayTek Vigor router models 2960 and 3900, with approximately 100 internet-exposed devices compromised as of mid-February 2023. The impacted industry verticals include pharmaceuticals, IT services/consulting firms, and municipal government, among others.</div><div><br></div><div>It is suspected that the goal of the malware campaign is to spy on targets and establish a stealthy proxy network. Given that the impacted devices are high-bandwidth routers that can support hundreds of VPN connections simultaneously, they typically live outside the traditional security perimeter, making them easier to compromise and maintain long-term persistence without detection.</div><div><br></div><div>The initial access vector used in the attacks is currently unknown, but a successful breach is followed by the deployment of a bash script that downloads and executes HiatusRAT and a packet-capture binary. HiatusRAT is a feature-rich malware capable of harvesting router information, running processes, contacting remote servers to fetch files or run arbitrary commands, and proxying command-and-control (C2) traffic through the router.</div>
Mitigation
<ul><li><span style="color: var(--q-dark);">To mitigate the risk of being impacted by the HiatusRAT malware, the following mitigations can be considered:<br><br></span></li><li>Keep your router firmware up to date: Make sure your router firmware is up to date with the latest security patches. If your router model is no longer supported by the manufacturer, consider upgrading to a newer model that is still supported.<br><br></li><li>Change default login credentials: Make sure to change the default login credentials for your router, including the username and password. Use strong, unique passwords that are difficult to guess or crack.<br><br></li><li>Use network segmentation: Segregate your network by creating separate VLANs for different types of devices, such as IoT devices, workstations, and servers. This will limit the impact of any potential breach and make it more difficult for the malware to spread laterally.<br><br></li><li>Use intrusion detection and prevention systems: Consider using intrusion detection and prevention systems that can detect and block suspicious traffic or behavior.<br><br></li><li>Implement access control: Limit the number of devices that have access to your router's administration interface, and ensure that only authorized users can modify the router settings.<br><br></li><li>Regularly monitor router traffic: Regularly monitor your router traffic for any unusual activity, such as spikes in traffic or connections to suspicious IP addresses. This can help you detect any potential breaches early on.<br><br></li><li><span style="color: var(--q-dark);">Implement two-factor authentication: Enable two-factor authentication for your router's administration interface, which can provide an additional layer of security against unauthorized access.<br><br>By following these mitigations, you can reduce the risk of being impacted by the HiatusRAT malware and other similar threats.<br></span></li></ul>