Black Lotus Labs Uncovers Hiatus Malware Campaign

Black Lotus Labs Uncovers Hiatus Malware Campaign

By Greg Tavarez

The increased adoption of hybrid work has resulted in a greater reliance on inexpensive routers that facilitate VPN access, particularly for SMBs. The thing with these devices is that they are usually situated outside the conventional security periphery, leading to insufficient monitoring and updates. This creates opportunities for attackers to establish and maintain long-term persistence without detection.

Routers often provide access to multiple devices on a network, making them a valuable target for hackers who want to gain access to sensitive data or other systems on the network. Many of these routers have poor security configurations, including default login credentials and unpatched firmware. Hackers can also use compromised routers as part of a botnet to launch DDoS attacks.

These inexpensive routers are a vulnerable point in a network, which make them an attractive target for attackers that seek to gain access to sensitive information or conduct malicious activities. It’s been seen previously within the last year with ZuoRAT. The multistage remote access Trojan was developed for small office/home office devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

Fast-forward to 2023. Black Lotus Labs, the threat research team at Lumen, uncovered a complex new malware campaign that had been exploiting compromised routers. The team delved into the latest research and identified a campaign called "Hiatus" that had been targeting business-grade routers since June 2022.

The team discovered that the threat actors behind the Hiatus campaign primarily targeted DrayTek Vigor router models 2960 and 3900, which had reached their end of life. As of mid-February, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised around 100 of them in Latin America, Europe, and North America with the pharmaceutical and IT services and consulting firm industries among the targeted.

So, what happens when the devices are compromised?

Well, the malware intercepts data transiting the infected router by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure. At the same time, the malware deploys a RAT dubbed "HiatusRAT" that displays a feature that the team called unusual. It converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.

"The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted and updated, while end-of-life devices should be replaced," said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

Black Lotus Labs null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise from this campaign into Rapid Threat Defense, the automated threat detection and response capability. The team also continues to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures.

For consumers with self-managed routers, follow the advice Dehus provided: regularly monitor, reboot and install security updates and patches. End-of-life devices need to be replaced. Businesses also need to consider comprehensive SASE or similar solutions that utilize VPN-based access to protect data and bolster their security posture.

Echoing what Dehus said, this campaign shows the need to secure the router ecosystem. Anyone with a router who uses the internet is a potential target. Truth be told, they can be used as proxy for another campaign even, if the entity that owns the router does not view themselves as an intelligence target.




Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

SHARE THIS ARTICLE
Related Articles

Real Estate Forecast 2025: Emerging Developments and Market Shifts

By: Contributing Writer    7/1/2025

Buying or selling property can be challenging. Rising mortgage rates and fluctuating home prices leave many uncertain about their next move. Business …

Read More

Protecting Business Assets with Smarter Security Frameworks

By: Contributing Writer    7/1/2025

Protecting your business is more challenging than ever. Cyber threats are increasing every day. Hackers target small and large businesses alike, searc…

Read More

Reimagining Public Transportation in the Era of Smart Mobility

By: Contributing Writer    7/1/2025

Public transportation can be frustrating. Buses stuck in traffic, late trains, and hard-to-navigate systems often leave people stressed or stranded. M…

Read More

SonicWall Powers Secure Access for Missouri MSP, Improving Cybersecurity and Network Access for Clients

By: Erik Linask    6/27/2025

With SonicWall, Stronghold Data delivers a modern, secure remote access solution that ensures access to networks and resources and improves cybersecur…

Read More

Guardz Unleashes AI-Driven ITDR to Combat Escalating Identity-Based Threats

By: Erik Linask    6/26/2025

The launch of Identity Threat Detection and Response (ITDR) gives MSPs the tools to defend SMBs against increasingly sophisticated attacks targeting u…

Read More