Cybersecurity researchers at Black Lotus Labs recently uncovered a new campaign that uses vulnerable commercial routers (opens in a new tab) to steal sensitive data and create a secret proxy network.
As reported by BleepingComputer(Opens in a new tab), researchers discovered that two models of DrayTek Vigor routers, 2960 and 3900, are used to distribute malware called HiatusRAT.
This remote access Trojan is used to download further malicious payloads that execute various commands on the infected endpoint and turn the device into a SOCKS5 proxy to relay commands and monitor server traffic.
Data theft and file execution
Most of the victims, the report says, are in Europe, North America and South America. Researchers don't know what the initial point of contact is for infected devices.
However, they reverse-engineered the malware and found that it steals system data (MAC address, kernel version, etc.), network data (IP addresses), file system data, and process data (process names, identifiers). , UID, etc.). ). .). Additionally, the RAT sends a heartbeat POST to the server every eight hours, which the attackers use to monitor the infected device.
In addition, it can read, delete, and download files, download and execute programs, pass any TCP data set to the host's listening port, and stop if necessary.
The researchers say all of this is necessary for threat actors to take advantage of sensitive data passing through the router.
"Once the capture data from this packet reaches a certain file length, it is sent to the 'C2 download' located at 46.8.113227, as well as information about the host router," the researchers explained. “This allows the threat actor to passively capture email traffic that has passed through the router and some of the file transfer traffic.
Although few companies are infected with Hiatus, its impact can still be significant, the researchers said, because hackers can steal email and FTP credentials.
Via: BleepingComputer (Opens in a new tab)