Cybersecurity researchers from Black Lotus Labs recently uncovered a new campaign that uses vulnerable business routers (opens in new tab) to steal sensitive data and build a covert proxy network.
As reported by BleepingComputer (opens in new tab), the researchers discovered that two models of the DrayTek Vigor routers – 2960, and 3900, are being used to distribute a piece of malware called HiatusRAT.
This remote access trojan is used to download more malicious payloads that execute various commands on the infected endpoint, and turn the device into a SOCKS5 proxy to pass command-and-control server traffic.
Stealing data and running files
The majority of the victims, the report says, are in Europe, North, and South America. The researchers aren’t sure what the initial point of contact for the infected devices is.
Still, they did reverse-engineer the malware and discovered that it steals system data (MAC address, kernel version, etc.), networking data (IP addresses), file system data, and process data (process names, IDs, UIDs, etc.). Furthermore, the RAT sends a heartbeat POST to the server every eight hours, which the attackers use to monitor the infected device.
Furthermore, it can read, delete, and upload files, download and run programs, forward any TCP data set to the host’s listening port, and stop itself if necessary.
The researchers say all of this is needed for the threat actors to be able to grab sensitive data moving through the router.
“Once this packet capture data reaches a certain file length, it is sent to the “upload C2” located at 46.8.113[.]227 along with information about the host router,” the researchers explained. “This allows the threat actor to passively capture email traffic that traversed the router and some file transfer traffic.”
While not many firms are infected with Hiatus, its impact can still be great, the researchers said, as the hackers can steal email and FTP credentials.
Via: BleepingComputer (opens in new tab)