A new report by Lumen Black-Lotus-Labs highlighting a new malware campaign targeting Home/Office internet routers for espionage.  The campaign called “HiatusRAT” targets network devices made by the Taiwanese company DrayTek, and is believed to be run by a group of Chinese hackers known as “DeathStalker.”

HiatusRAT uses a sophisticated malware strain that infects DrayTek devices, giving the attackers complete control over the compromised devices. The malware is capable of performing a wide range of malicious activities, such as stealing sensitive data, intercepting network traffic, and even deploying additional malware on the infected devices.

The HiatusRAT campaign is unique because of the use of a built-in proxy server that the attackers use to disguise their malicious activity. This proxy server allows the attackers to route their traffic through the infected devices, making it difficult for security teams to detect and track the campaign.

Screenshot of the global heatmap showing the distribution of bots from Oct. 1, 2022, through Feb. 20, 2023

(source: Lumen Black-Lotus-Labs)

The Lumen Black-Lotus-Labs provide additional technical details about the malware, including the various techniques used by the attackers to propagate and maintain the infection.

It is very important for DrayTek device owners to take immediate action to secure their devices and mitigate the risk of falling victim to the HiatusRAT campaign.

According to Lumen, “As of mid-February 2023, there were approximately 2,700 DrayTek Vigor 2960 routers and approximately 1,400 DrayTek Vigor 3900 routers exposed on the internet, and Hiatus had compromised approximately 100 of these routers. This campaign is significantly smaller than some of the more prominent botnets such as Emotet or Chaos – both of which indiscriminately target vulnerable devices on the internet. We assess that the threat actor most likely chose to keep the campaign small to evade detection.”

Access the full report by clicking the button below.