New HiatusRAT Malware Campaign Targets Business Routers

A new malware campaign, known as “Hiatus”, is targeting small business routers to steal data and spy on victims.

New “Hiatus” Malware Campaign Attacks Business Routers

A new malware campaign, dubbed, “Hiatus” is targeting small business routers using HiatiusRAT malware.

On March 6, 2023, research firm Lumen published a blog post discussing this malicious campaign. In theLumen blog post, it was stated that “Lumen Black Lotus Labs® identified another, never-before-seen campaign involving compromised routers.”

4

HiatusRAT is a type of malware known as aRemote Access Trojan (RAT). Remote Access Trojans are used by cybercriminals to gain remote access and control of a targeted device. The most recent version of the HiatusRAT malware seems to have been in use since July 2022.

In the Lumen blog post, it was also stated that “HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality – some of which is highly unusual – to convert the compromised machine into a covert proxy for the threat actor.”

laptop with red alert icon on screen

Using the “tcpdump” command line utility, HiatusRAT can catch the network traffic passing over the targeted router, allowing the theft of data. Lumen also speculated that the malicious operators involved in this attack aim to set up a covert proxy network via the attack.

HiatusRAT Is Targeting Specific Kinds of Routers

The HiatusRAT malware is being used to attack end-of-life DrayTek Vigor VPN routers, specifically the 2690 and 3900 models running an i386 architecture. These are high-bandwidth routers used by businesses to give remote workers VPN support.

These router models are commonly used by small-to-mid-sized business owners, who are at particular risk of being targeted in this campaign. Researchers do not know how these DrayTek Vigor routers were infiltrated at the time of writing.

close up shot of router with external cables

Over 4,000 machines were found to be vulnerable to this malware campaign in mid-February, meaning many businesses are still at risk of attack.

Attackers Are Only Targeting a Few DrayTek Routers

Of all the DrayTek 2690 and 3900 routers connected to the internet today, Lumen reported an infection rate of just 2 percent.

This indicates that the malicious operators are attempting to keep their digital footprint at a minimum to limit exposure and evade detection. Lumen also suggested in the aforementioned blog post that this tactic is also being used by attackers to “maintain critical points of presence.”

Person with Mask Sitting on Chair In front of a Computer Screen

HiatusRAT Poses an Ongoing Risk

At the time of writing, HiatusRAT poses a risk to many small businesses, with thousands of routers still being exposed to this malware. Time will tell just how many DrayTek routers are successfully targeted in this malicious campaign.

Remote access trojans grant attackers full control over your machine—a terrifying scenario. Here’s how to beef up your defenses.

The Netflix app opened to the main menu, featuring Avatar The Last Airbender and K-Pop Demon Hunters-1

The key is not to spook your friends with over-the-top shenanigans.

Anyone with more than a passing interest in motorsports must see these films.

Every squeak is your PC’s way of crying for help.

These are the best free movies I found on Tubi, but there are heaps more for you to search through.

Don’t let someone else take over your phone number.

Technology Explained

PC & Mobile