An unknown threat actor has discreetly compromised business-grade DrayTek routers in Europe, Latin and North America, equipping them with a remote access trojan (dubbed HiatusRAT) and a packet capturing program.
“The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business. We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network,” Lumen researchers have posited.
How did it happen?
The researchers haven’t been able to pinpoint how the threat actor compromised the devices, but they know what happens next: a deployed bash script retrieves the HiatusRAT and a tcpdump variant.
HiatusRAT allows the threat actor to download files or run commands on the router and it serves as a SOCKS5 proxy device. It is capable of collecting information about the router: system-level information such as MAC address and firmware version, as well as information about other files and processes running on it. But it can also collect network information to pinpoint local IP and MAC addresses of the other devices on the adjacent LAN, which can come in handy at a later date.
Some of its functions are common, the researchers found, but other have been specifically buit to do things like enable obfuscated communications and mimic legitimate behavior to minimize detection.
The tcpdump variant allows the actor to monitor traffic on ports (21, 25, 110, 143) associated with email and file-transfer communications from the adjacent LAN, and capture data packets. The researchers suspect that additional ports can be added to that list “if the threat actor identifies a victim of high interest.”
The campaign
According to Lumen’s telemetry, the campaign has resulted in the successful compromise of around 100 routers.
“This is approximately 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the internet. This suggests the threat actor is intentionally maintaining a minimal footprint to limit their exposure and maintain critical points of presence,” the researchers noted.
“Because we have not observed any overlap or correlations between HiatusRAT and any public reporting, we assess that HiatusRAT is a unique cluster.”
The compromised routers likely belong to medium-size businesses that use them as the gateway to their corporate network or smaller organizations of interest within ISP customer ranges.
“Some of the impacted verticals include pharmaceuticals, IT services/consulting firms, and a municipal government– among others. We suspect the IT firms were chosen to enable downstream access to customer environments, which could be enabled from collected data like the email traffic gathered by the packet-capture binary.”
The campaign has been very low-key and organizations may have trouble spotting a compromised device. Lumen has shared indicators of compromise to help them check whether their router is among the 100 or so that have been hit.