BingoTingo Best Place To Gain Knowledge & WP Theme
Cybersecurity researchers at Black Lotus Labs recently discovered a new campaign that uses vulnerable corporate routers (opens in new tab) to steal sensitive data and build a secret proxy network.
BleepingComputer reports this (opens in new tab)the researchers discovered that two models of the DrayTek Vigor routers – 2960 and 3900 – are used to distribute malware called HiatusRAT.
This remote access trojan is used to download more malicious payloads that execute various commands on the infected endpoint and turn the device into a SOCKS5 proxy to pass command-and-control server traffic.
Steal data and execute files
The majority of victims, the report says, are in Europe, North and South America. The researchers aren’t sure what the first point of contact for the infected devices is.
Still, they reverse engineered the malware and found that it contains system data (MAC address, kernel version, etc.), network data (IP addresses), file system data, and process data (process names, IDs, UIDs, etc.). In addition, the RAT sends a heartbeat POST to the server every eight hours, which the attackers use to monitor the infected device.
In addition, it can read, delete and upload files, download and run programs, forward any TCP data set to the host’s listening port, and stop itself if necessary.
The researchers say all this is necessary for the threat actors to be able to get hold of sensitive data passing through the router.
Once this packet capture data reaches a certain file length, it will be sent to the “upload C2″ at 46.8.113[.]227 along with information about the host router,” the researchers explained. “This allows the threat actor to capture passive email traffic that passed through the router and some file transfer traffic.”
While not many companies have been infected with Hiatus, its impact can still be significant, the researchers said, as the hackers can steal email and FTP credentials.
Via: Bleeping Computer (opens in new tab)
