Contact Us

HiatusRAT: A Trojan compromising business-grade routers

HiatusRAT is a type of malware known as a Remote Access Trojan (RAT). Cybercriminals employ remote access Trojans to take over and control a target device from a distance. HiatusRAT malware appears to have been in use since July 2022 in its most current iteration. The Hiatus campaign primarily targeted outdated i386-based DrayTek Vigor versions 2960 and 3900.

A never-before-seen campaign utilizing infected routers was discovered and named ‘Hiatus.’ Two malicious programmes, including the Remote Access Trojan (RAT) and a tcpdump version that permits packet collection on the target device, are distributed when it infects business-grade routers.

HiatusRAT gives the attacker remote access to the compromised machine after infection. The threat actor can track activity on router ports relevant to file transfers and email conversations, thanks to the programme for packet capturing. It is unknown how the Hiatus campaign’s first access is gained, but it is known that after gaining it, the attackers use a bash script to download and run HiatusRAT and a packet-capture programme.

Threat actors may exploit routers as effective sites to install malware, frequently for cyberespionage. In addition to typically employing customized versions of current operating systems, routers are frequently less secure than regular devices. As a result, attacking routers might be fascinating for attackers but more difficult to hack into and utilize effectively than an ordinary endpoint or server.

Other features of the malware include the ability to change its configuration file, provide the attacker access to a remote shell, read, delete, and upload files, download, and run files, and enable SOCKS5 packet forwarding or plain TCP packet forwarding.

HiatusRAT has been observed in attacks targeting organizations in the Middle East, particularly in Saudi Arabia, Southeast Asia, and Europe. The malware is known to target industries including finance, and energy as well as several government facilities.

References:

  1. https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
  2. https://www.techrepublic.com/article/hiatus-malware-campaign-targets-routers/
  3. https://www.makeuseof.com/new-hiatusrat-malware-targets-business-routers/

Related Articles

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Critical CVSS 10 vulnerability in PAN-OS sparks urgent action

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!