Advanced malware has been discovered by researchers that targets business-grade routers, turning them into attacker-controlled listening posts that can steal files and capture email traffic. The campaign, which has been named Hiatus, has been operative since at least last July, hitting primarily end-of-life DrayTek Vigor models 2960 and 3900 that help VPN connections for over hundreds of remote workers. As of now, the threat actor behind the campaign has infected approximately 2% of the DrayTek 2960 and 3900 routers exposed on the internet, equating to approximately 100 routers. Experts believe that the attacker has chosen to keep their footprint small to maintain the stealth of their operation.
The malware passes emails in IMAP, SMTP, and POP protocols, where the malware also backdoors routers with a remote access Trojan. The remote access Trojan allows the attackers to download files and execute commands of their choice. It also enables attackers to forward data from other servers through the router, thereby converting it into a private proxy that conceals the origin of malicious activities.
Lumen’s Black Lotus Labs researchers wrote: “This type of agent demonstrates that anyone with a router who uses the internet can potentially be a target – and they can be used as a proxy for another campaign – even if the entity that owns the router does not view themselves as an intelligence target,”. Moreover, researchers found that Hiatus comes with two main binaries, with the first being HiatusRAT. Once installed, it allows a remote threat actor to run commands or new software on the device. The RAT also comes with two unusual additional functions built in: (1) “convert the compromised machine into a covert proxy for the threat actor,” and (2) use an included packet-capture binary to “monitor router traffic on ports associated with email and file-transfer communications.”
The second binary is a tcpdump, which enables packet capture. This binary was the engine behind function 2, which provided Hiatus with the ability to monitor traffic on ports transmitting email and FTP communications from the adjacent LAN. Hiatus also targets a variety of architectures including prebuilt binaries compiled for ARM, MIPS64 big-endian, and MIPS32 little-endian platforms.
Black Lotus is still uncertain about the sequence of events of how the devices were initially hacked. However, once the attack has commenced, the malware is deployed through a bash script that installs the two main binaries.
The packet-capture ability of the HiatusRAT serves as a major warning for anyone who still sends emails without encryption. Therefore emails services will configure accounts automatically to use protocols such as SSL/TLS over port 993 or STARTTLS on port 143. Anyone who still sends email in plaintext will likely regret it.
Additionally, routers are internet-connected computers, so it’s important to regularly attend to them for updates and changing all default passwords. It makes sense for businesses to use dedicated router monitoring.