VTA-004456 – New HiatusRAT Malware Campaign Targets Taiwan and U.S. Defense
In March 2023, Lumen Black Lotus Labs uncovered a sophisticated cyber campaign named “HiatusRAT” that infected over 100 edge networking devices globally. The campaign exploited edge routers to secretly gather traffic and operate as a concealed command and control (C2) network. After the initial report, ongoing tracking revealed new malware samples and infrastructure linked to HiatusRAT. The campaign’s focus shifted in June, targeting a U.S. military procurement system and organizations in Taiwan. This departure from previous Latin American and European targets aligned with the strategic interests of China.
The “HiatusRAT” malware is a sophisticated cyber campaign that targets business-grade routers. Once a router is infected, the malware deploys two malicious components: a Remote Access Trojan (RAT) called HiatusRAT and a variant of tcpdump for packet capture.
HiatusRAT’s main purpose is twofold. First, it allows the threat actor to remotely interact with the compromised system. It checks for existing processes and opens a listener on a specific port, sending host-based information back to a command and control (C2) server. Second, HiatusRAT turns the compromised router into a covert proxy for the threat actor, forwarding traffic to obfuscate command and control. HiatusRAT’s activity consists of three components: a bash script, HiatusRAT itself, and the packet-capture binary. HiatusRAT includes functions like remote shell execution, file manipulation, and the ability to establish SOCKS5 proxies. The packet-capture binary records traffic on specific ports and sends it to a C2 server.
Despite exposure, the group persisted with their activities, recompiling malware for various architectures and distributing them through procured virtual private servers (VPSs). Specific VPS nodes were used to target Taiwanese entities and even engage in data transfers with a U.S. military server associated with contract proposals. The objective likely involved gathering publicly available data on military requirements and Defense Industrial Base (DIB) involvement.
From mid-June to August 2023, multiple new versions of HiatusRAT malware emerged, targeting different architectures. The threat actor maintained consistency in their communication methods, using the same heartbeat and upload server as in previous reports. The hosting server for HiatusRAT payloads shifted over time, with various IP addresses observed.
The campaign revealed the actor’s ability to compromise edge network devices for access to valuable targets. Defense contractors were advised to monitor for HiatusRAT and ensure the security of their networking devices.
Severity:
Medium
Technical Impact Analysis:
Loss of Accountability, Loss of Confidentiality
Business Impact Analysis:
Financial Damage, Non-Compliance
Attack Surfaces:
Infrastructure, Others
Tactics:
Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Collection, Command and Control, Exfiltration
Techniques:
T1190 – Exploit Public-Facing Application
T1059 – Command-Line Interface
T1105 – Ingress Tool Transfer
T1063 – Security Software Discovery
T1010 – Application Window Discovery
T1068 – Exploitation for Privilege Escalation
T1222 – File and Directory Permissions Modification
T1218 – Signed Binary Proxy Execution
T1110 – Brute Force
T1016 – System Network Configuration Discovery
T1082 – System Information Discovery
T1005 – Data from Local System
T1043 – Commonly Used Port
T1041 – Exfiltration Over C2 Channel
Indicator or Compromise:
https://otx.alienvault.com/pulse/64e3b66c6ec75a3cdb614955.
References:
https://blog.centurylink.com/hiatusrat-takes-little-time-off-in-a-return-to-action/
SuperPRO’s Threat Countermeasures Procedures:
1. Keep router firmware up to date. Manufacturers often release updates that fix security vulnerabilities.
2. Segment your network to isolate critical systems from less critical ones. For instance, keep IoT devices on a separate network from devices that store sensitive information.
3. Disable remote management of your router if it’s not necessary. This can prevent attackers from accessing your router’s settings from outside your local network.
4. Use a firewall to filter incoming and outgoing traffic. Additionally, install reputable security software on your devices to detect and block malware.
5. Choose routers from reputable manufacturers that provide regular security updates and support for their devices.
6. Turn off any unnecessary services or features on your router. This reduces the potential attack surface.
Contributed by: Narzwan