Researchers have discovered advanced malware that turns business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign that has hit North and South America and Europe .
In addition to passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote access Trojan that allows attackers to download files and run commands they chose. The backdoor also allows attackers to funnel data from other servers through the router, turning the device into a covert proxy for hiding the true source of malicious activity.
Black Lotus Labs
“This type of agent shows that anyone with a router that uses the Internet can be a target – and they can be used as a proxy for another campaign – even if the entity that owns the router is not looking – well themselves as an intelligence target,” wrote researchers from security firm Lumen’s Black Lotus Labs. “We suspect that threat actors will continue to use multiple compromised assets in conjunction with each other to avoid detection.”
Researchers say the campaign, called Hiatus, has been operating since July. Currently, this mainly affects the end-of-life DrayTek Vigor models 2960 and 3900 that run an i368 architecture. These high-bandwidth routers support virtual private network connections for hundreds of remote workers. To date, roughly 100 routers have been infected, which is about 2 percent of the DrayTek 2960 and 3900 routers exposed on the Internet. Researchers suspect that the unknown threat actor behind Hiatus deliberately kept its small footprint to maintain the stealth of the operation.
Black Lotus still doesn’t know how the devices were hacked in the first place. Once and for all that happens, the malware is installed via a bash script deployed after the exploit. This downloads and installs the two main binaries.
The first is HiatusRAT. Once installed, it allows a remote threat actor to do things like run commands or new software on the device. The RAT also has two unique additional functions built in : (1) “convert the compromised machine into a hidden proxy for the threat actor,” and (2) use an attached packet-capture binary to “monitor router traffic on email-related ports and file transfer communications.”
Researchers suspect that the threat actor includes a SOCKS 5 software in function 1 is to obfuscate the origin of malicious traffic by proxying it through an infected router. Black Lotus researchers wrote:
The HiatusRAT tcp_forward function allows a threat actor to relay their beaconing from a separate infection through a compromised device before hitting an upstream C2 node. Conversely, they can also echo their command to a web shell from the upstream infrastructure through the compromised router in the target device’s country, then interact with a more passive agent to remain anonymous. their real origin by bypassing geo-fencing based security measures.
Black Lotus Labs
A tcpdump binary that enables packet capture is the engine behind function 2. This gives Hiatus the ability to monitor traffic on ports that send email and FTP communications from adjacent LANs. It is preconfigured to work with IMAP, POP, and SMTP email protocols.
Black Lotus Labs
Hiatus primarily targets DrayTek routers running an i368 architecture. The researchers, however, discovered prebuilt binaries compiled for ARM, MIPS64 big endian, and MIPS32 little endian platforms.
HiatusRAT’s packet-capture ability should serve as a major wake-up call for anyone still sending unencrypted email. In recent years, email services have evolved to automatically configure accounts to use protocols such as SSL/TLS on port 993 or STARTTLS on port 143. Anyone who still sends email in plaintext will likely regret it sooner rather than later.
It is also a good idea to remember that routers are computers connected to the Internet, and as such, they require constant attention to ensure that updates and other measures, such as changing all the defaults password, followed. For businesses, it may also make sense to use dedicated router monitoring.