Complex New Malware Targeting Routers Discovered: Hiatus

A complex new malware campaign has been discovered that has been exploiting compromised routers since June 2022 to covertly spy on its victims. Named "Hiatus" the malware has been targeting business-grade routers. The Hiatus campaign has targeted several industries, including pharmaceuticals and IT services. Researchers suspect the IT firms were chosen to give the threat actor downstream access to the victims' customers' environments.

The discovery of the Malware was lead by Black Lotus Labs, the threat research team at Lumen Technologies. "The rise of hybrid work has led to increased dependency on relatively low-cost routers that enable VPN access – especially for many small- and medium-sized businesses." said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. "These devices typically live outside the traditional security perimeter, which means they usually are not monitored or updated. This helps the actor establish and maintain long-term persistence without detection."

New Malware Strain Hiatus

The new malware strain Hiatus deploys two malicious binaries, including a Remote Access Trojan (RAT) that Black Lotus labs have named 'HiatusRAT', and a variant of tcpdump that enables packet capture on the target device.

Dehus concludes "The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted, and updated, while end-of-life devices should be replaced." 

The discovery of Hiatus comes on the heels of the team's other recent discovery – a novel malware called ZuoRAT – which targeted SOHO (small office/home office) routers.

What Can Be done to Help Guard Against Hiatus Malware?

• Consumers who use self-managed routers should regularly monitor, reboot, and install security updates and patches. End-of-life devices should be replaced with current models.
• Organizations should consider a comprehensive solution, such as SASE or similar solutions that utilize VPN-based access to protect data and boosts their security posture.
• Secure email services should be made use of to protect data that is in transit

The Black Lotus team will continue to monitor for new Hiatus infrastructure, targeting activity and expanding TTPs and you can read the team's full research report on HiatusRAT router malware here.