Hiatus Malware Attacks Business-Class Routers, Turning hTem into spying devices

Hiatus malware attacks routers
Written by William Reddy

IS specialists discovered a malicious Hiatus campaign, in which the malware attacks routers and has infected about 100 outdated DrayTek Vigor 2960 and 3900 routers (about 2% of routers of these models are connected to the Internet) in order to steal the data of their owners and create a hidden proxy network.

Let me remind you that we also wrote that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users, and also that Iranian RatMilad Spyware Attacks Android Users.

Experts warn that as part of the Hiatus campaign, which has spread to North and South America, as well as Europe, hackers can intercept victims’ email and steal files.

Hiatus malware attacks routers
Attack map

Lumen Black Lotus Labs analysts say the hacking campaign, active since July 2022, is targeting DrayTek Vigor devices, which are business-class VPN routers used by small and medium businesses to connect remotely to corporate networks.

The attacks rely on three components: a malicious bash script, the Hiatus RAT malware, and a legitimate tcpdump used to capture network traffic passing through the router.

The key to this campaign is Hiatus, which is used to download additional payloads, execute commands on a compromised device, and turn compromised devices into SOCKS5 proxy servers to transmit commands and control server traffic.

Hiatus malware attacks routers

Interestingly, so far experts have not been able to determine exactly how the attackers compromise DrayTek routers. It is only known that after the hack, they gain access to routers and run a bash script that loads Hiatus and the legitimate tcpdump utility.

Once installed, the malware collects the following information from a compromised device:

  1. system data (MAC address, kernel version, system architecture, firmware version);
  2. network data (router IP address, local IP address, MAC addresses of devices in the neighboring local network);
  3. file system data (mount points, directory paths, file system type);
  4. process data (process names, identifiers, UIDs, and arguments).

After installing the malware, hackers are able to perform the following actions: run commands, shells or new software on the device; reading, deleting or transferring files to a remote server; receiving and executing specific files and scripts; setting up a SOCKS v5 proxy on a jailbroken device; transferring any TCP data set to an open host port, and so on.

Experts emphasize that Hiatus “can” not only turn a compromised machine into a proxy server, but is also able to intercept packets to “monitor router traffic on ports associated with email and file transfers.” So, the malware monitors network traffic on TCP ports associated with mail servers and FTP.

Monitored ports: port 21 for FTP, port 25 for SMTP, port 110 for POP3, and port 143 associated with the IMAP protocol. Because communications over these ports are not encrypted, attackers can steal sensitive data, including email content, credentials, and the content of files being transferred.

Hiatus malware attacks routers

Once the data reaches a certain file length, it is uploaded to the server located at 46.8.113[.]227, along with information about the compromised router. This allows attackers to passively intercept email traffic passing through the router and some file transfer traffic.Black Lotus Labs said in a report.

Experts conclude that the Hiatus attacks only emphasize the need to protect the ecosystem of routers, and the devices themselves need to be regularly monitored, rebooted and updated, and outdated routers that have already lost support from the manufacturer should be replaced.

Let me remind you that information security specialists also said that the creation of the Chinese Comac C919 aircraft was accompanied by hacker attacks and cyber espionage.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment