An ongoing hacking campaign called “Hiatus” targets DrayTek Vigor 2960 and 3900 router models to steal victims’ data and build a secret proxy network.
DrayTek Vigor devices are enterprise-class VPN routers used by small and medium businesses for remote connectivity to corporate networks.
The new hacking campaign, which began in July 2022 and is still ongoing, is based on three components: a malicious bash script, malware named ‘HiatusRAT’ and the legitimate ‘tcpdump,’ used to capture network traffic flowing through the router.
The HiatusRAT component is the most interesting aspect, giving the campaign its name. The tool is used to download additional payloads, execute commands on the hacked device, and convert the device into a SOCKS5 proxy to transmit commands and control server traffic.
The campaign was discovered by Lumen’s Black Lotus Labs, who report seeing at least 100 businesses infected with HiatusRAT, primarily in Europe, North America, and South America.
The Hiatus Attacks
At this time, researchers are unable to determine how the DrayTek routers were initially compromised. However, once the hackers gain access to the devices, they deploy a bash script that downloads three components to the router: the HiatusRAT and the legitimate tcpdump utility.
The script first downloads the HiatusRAT to ‘/database/.updata’ and runs it, causing the malware to listen on port 8816, and if there is already a process running on that port, he kills him first.
Then, it collects the following information from the hacked device:
- System data: MAC address, kernel version, system architecture, firmware version
- Networking data: Router IP address, local IP address, MAC of devices on adjacent LAN
- File system data: mount points, directory level path locations, file system type
- Process data: process names, IDs, UIDs, and arguments
HiatusRAT also sends a heartbeat POST message to C2 every 8 hours to help the threat actor track the status of the compromised router.
Black Lotus Labs reverse engineering analysis revealed the following malware features:
- configuration – load a new configuration from the C2
- shell – generate a remote shell on the infected device
- to file – read, delete or exfiltrate files to the C2
- executor – retrieve and execute a file from the C2
- script – run a script from the C2
- tcp_forward – forward any TCP dataset to the host’s listening port to a forwarding location
- socks5 – configure a SOCKS v5 proxy on the hacked router
- Stop – stop the execution of the malware
The purpose of the SOCKS proxy is to forward data from other infected machines through the hacked router, hiding network traffic and mimicking legitimate behavior.
The bash script will also install a packet capture tool that listens for network traffic to TCP ports associated with mail servers and FTP connections.
The monitored ports are port 21 for FTP, port 25 for SMTP, port 110 is used by POP3 and port 143 is associated with the IMAP protocol. Because communication over these ports is unencrypted, threat actors could steal sensitive data, including email content, credentials, and the contents of uploaded and downloaded files.
Therefore, the attacker aims to capture sensitive information transmitted through the compromised router.
“Once this packet capture data reaches a certain file length, it is sent to the “C2 download” located at 46.8.113[.]227 as well as host router information,” the Black Lotus report reads.
“This allows the threat actor to passively capture email traffic that has passed through the router and some file transfer traffic.”
The Hiatus campaign is small in scale, but it can still have a big impact on victims, potentially stealing email and FTP credentials for later network access. Lumen researchers believe it is likely that the threat actor deliberately maintains a small attack volume to evade detection.
Black Lotus scans revealed that as of mid-February 2023, approximately 4,100 vulnerable DrayTek routers were exposed on the internet, so compromising only 2.4% indicates mannerism.