Get in Touch
Indiscriminate, opportunistic targeting.
A HiatusRAT malware threat cluster has been detected, targeting end-of-life (EoL) DrayTek Vigor router models, with the aim of stealing data and forming covert networks. Initiated in July 2022, the campaign has compromised approximately 100 internet-exposed devices as of mid-February 2023, and is still ongoing.
The following three attack vector components have been classified as pertaining to the campaign: a malicious bash script, HiatusRAT malware and ‘tcpdump’.
Following successful exploitation, HiatusRAT will exfiltrate key networking and system information pertaining to the router, including the MAC address, system architecture, router IP address, local IP address and MAC addresses of devices on adjacent LAN. HiatusRAT also sends a heartbeat POST to the command-and-control (C2) server every 8 hours, which allows the threat actor to track the status of the compromised router.
HiatusRat has the ability to download additional payloads, execute commands on target systems and to convert the target device into a SOCKS5 proxy to facilitate the passage of C2 server traffic.
Recent research has indicated that the initial compromise by HiatusRat occurs via the delivery of a bash script to the target router, which is responsible for installing a packet-capturing tool that monitors network traffic to TCP ports associated with mail servers and FTP connections. The monitored ports are port 21 (FTP), port 25 (SMTP), port 110 (POP3), and port 143 (IMAP). Due to the unencrypted communication that occurs via these ports, successful exploitation would allow threat actors to steal sensitive email content and FTP credentials. Such data could be used in future attack campaigns.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide effective protection against malware threats such as HiatusRAT. EDRs can alert system users of potential breaches and terminate the malware process during the early stages of the attack chain, therefore limiting the scope of damage.
– DrayTek Vigor router models 2960 and 3900
Containment, Mitigations & Remediations
It is strongly recommended that the following mitigation steps are adhered to in an attempt to strengthen defence efforts against exploitation by HiatusRAT:
– Users with self-managed routers should follow best practices and regularly monitor, reboot and install security updates and patches
– End-of-life systems should be replaced with vendor-supported models to ensure that patches have been applied against known vulnerabilities
– Businesses should consider implementing solutions that utilise VPN-based access to protect data and bolster their security posture
– Users should enable the latest cryptographic protocols to protect data in transit, such as only using email services which rely upon SSL and TLS. Examples of secure email services include secure simple mail transfer protocol and encrypted versions of IMAP or POP3
Indicators of Compromise
HiatusRAT IP addresses:
HiatusRAT SHA-256 file hashes:
HiatusRAT SHA-1 file hashes:
DrayTek devices occupy a significant portion of the VPN router share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the DrayTek routers become a prime target. Due to the fact that DrayTek devices are business-class VPN routers, they have become an integral aspect of business affairs. As such, threat actors will continue to exploit vulnerabilities contained within these devices in an attempt to facilitate their attack efforts and exfiltrate sensitive data from associated networks.
The relevant reports have documented that at least 100 businesses, primarily residing in Europe, North America, and South America, have been infected by HiatusRAT.
No attribution to specific threat actors or groups have been identified at the time of writing.
T1059.003 – Windows Command Shell
T1562 – Impair Defenses
T1119 – Automated Collection
Command and Control:
T1090.002 – External Proxy