Lumen Black Lotus Labs has uncovered a never-before-seen complex malware that has been targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet capture on the target device.
The threat cluster primarily singles out end-of-life (EoL) DrayTek Vigor router models 2960 and 3900, with approximately 100 internet-exposed devices compromised as of mid-February 2023. Some of the impacted industry verticals include pharmaceuticals, IT services/consulting firms, and municipal government, among others. Interestingly, this represents only a small fraction of the 4,100 DrayTek 2960 and 3900 routers that are publicly accessible over the internet, raising the possibility that "the threat actor is intentionally maintaining a minimal footprint to limit their exposure."
This is a concerning development for a number of reasons. First, it appears that this malware is specifically targeting business-grade routers, which means that it is likely being used for corporate espionage rather than simply to steal data from individuals. Second, the fact that it has been active for at least a year and a half and has only been detected now suggests that it is extremely sophisticated and difficult to detect. Finally, the fact that the majority of the compromised routers are located in North America, Europe, and Latin America suggests that this malware may be part of a larger campaign with a global reach.
These findings are yet another reminder of the importance of cybersecurity hygiene, especially for businesses. It is critical that businesses keep their software and firmware up to date, and that they use strong passwords and other security measures to protect their routers and other devices. Additionally, businesses should be aware of the possibility of covert surveillance and take steps to protect their data accordingly.