Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Hiatus malware targets DrayTek routers for data theft and surveillance purposes

Target Industry

Indiscriminate, opportunistic targeting.

Overview

A HiatusRAT malware threat cluster has been detected, targeting end-of-life (EoL) DrayTek Vigor router models, with the aim of stealing data and forming covert networks. Initiated in July 2022, the campaign has compromised approximately 100 internet-exposed devices as of mid-February 2023, and is still ongoing.

The following three attack vector components have been classified as pertaining to the campaign: a malicious bash script, HiatusRAT malware and ‘tcpdump’.

Following successful exploitation, HiatusRAT will exfiltrate key networking and system information pertaining to the router, including the MAC address, system architecture, router IP address, local IP address and MAC addresses of devices on adjacent LAN. HiatusRAT also sends a heartbeat POST to the command-and-control (C2) server every 8 hours, which allows the threat actor to track the status of the compromised router.

HiatusRat has the ability to download additional payloads, execute commands on target systems and to convert the target device into a SOCKS5 proxy to facilitate the passage of C2 server traffic.

Impact

Recent research has indicated that the initial compromise by HiatusRat occurs via the delivery of a bash script to the target router, which is responsible for installing a packet-capturing tool that monitors network traffic to TCP ports associated with mail servers and FTP connections. The monitored ports are port 21 (FTP), port 25 (SMTP), port 110 (POP3), and port 143 (IMAP). Due to the unencrypted communication that occurs via these ports, successful exploitation would allow threat actors to steal sensitive email content and FTP credentials. Such data could be used in future attack campaigns.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide effective protection against malware threats such as HiatusRAT. EDRs can alert system users of potential breaches and terminate the malware process during the early stages of the attack chain, therefore limiting the scope of damage.

Affected Products

– DrayTek Vigor router models 2960 and 3900

Containment, Mitigations & Remediations

It is strongly recommended that the following mitigation steps are adhered to in an attempt to strengthen defence efforts against exploitation by HiatusRAT:

– Users with self-managed routers should follow best practices and regularly monitor, reboot and install security updates and patches
– End-of-life systems should be replaced with vendor-supported models to ensure that patches have been applied against known vulnerabilities
– Businesses should consider implementing solutions that utilise VPN-based access to protect data and bolster their security posture
– Users should enable the latest cryptographic protocols to protect data in transit, such as only using email services which rely upon SSL and TLS. Examples of secure email services include secure simple mail transfer protocol and encrypted versions of IMAP or POP3

Indicators of Compromise

HiatusRAT IP addresses:

– 104[.]250[.]48[.]192
– 46[.]8[.]113[.]227
– 149[.]248[.]0[.]203
– 66[.]42[.]108[.]185

HiatusRAT SHA-256 file hashes:

– 07cc70b287cbed13ef965c5a9815e1e2dcb7bfa4664beafdc7b57b5af3a8dd12
– 15960d2d7584ff90922e1c69f33c00508de4caa8b05a1341142b31f1661dd56f
– 193481c4e2cbd14a29090f500f88455e1394140b9c5857937f86d2b854b54f60
– 27b957fe2c5e9f3c98cfae5e90a2cd90a9adb8c9ac9de21118a751d9679bc4af
– 36f6045fac9289df716ea9f3f657fd9c560660bfc70bebd0e07c1d42025f9a3a
– 382d64d5943001a1df569f8ddae9490509ed96ba8128de6e74acff6d879d7035
– 4877bdc4fa80ad8e38600d1e0f3e9fdfbce2a6658ba050347281842345c5dd5e
– 6e21e42cfb93fc2ab77678b040dc673b88af31d78fafe91700c7241337fc5db2
– 6eb7357c0492960150286418e2a2f18513f50e925630bf2e6235422143f2e6c6

HiatusRAT SHA-1 file hashes:

– 167ea14b961877bec689cf8714b450e55a8033bd
– 22ff6af7256397267d1919cbb78bfdcccb6e5e39
– 2a770ad9d8e34b71323f026dcbe6b70b67e415db
– 525c04e97a0e2b38243f11debec9e100cc51fb15
– 5ec68cd73e3ca516b2518bc3307f5381bcc52b20
– a80c9729984976eeb6b20a48a5dae8b10e4dc724
– c55a8c027482ce281903f4b6b0b370a6efc7252c
– cb01eb90c2c968a1d1e17136ba8609ff1eafb9eb
– da1cd4b75787d8c3079ca4b7709bf788e7e2021e

Threat Landscape

DrayTek devices occupy a significant portion of the VPN router share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the DrayTek routers become a prime target. Due to the fact that DrayTek devices are business-class VPN routers, they have become an integral aspect of business affairs. As such, threat actors will continue to exploit vulnerabilities contained within these devices in an attempt to facilitate their attack efforts and exfiltrate sensitive data from associated networks.

The relevant reports have documented that at least 100 businesses, primarily residing in Europe, North America, and South America, have been infected by HiatusRAT.

Threat Group

No attribution to specific threat actors or groups have been identified at the time of writing.

Mitre Methodologies

Reconnaissance:

T1590 – Gather Victim Network Information
T1592 – Gather Victim Host Information

Execution:

T1059.003 – Windows Command Shell

Defense Evasion:

T1562 – Impair Defenses

Collection:

T1119 – Automated Collection

Command and Control:

T1090.002 – External Proxy

Further Information

Bleeping Computer Article
Lumen Blog
Hacker News Article

 

Intelligence Terminology Yardstick