A new malware campaign, dubbed Hiatus, is using business-grade routers in North and South America and Europe to steal files and capture email, according to security researchers.
The malware has been discovered to backdoor routers with a remote access Trojan, enabling attackers to download files and run commands of their choice. Researchers from Lumen’s Black Lotus Labs said Hiatus has been operating since at least July 2021, and has primarily hit end-of-life DrayTek Vigor models 2960 and 3900 running an i368 architecture.
You might also like:
- Hospital Clinic de Barcelona hit by Ransomware Attack, Cancels Thousands of Appointments
- Chick-fil-A Warns 71,000 Customers of Data Breach Due to Password Reuse
- Cybercrime Group Using DoppelPaymer Ransomware Targeted by German and Ukrainian Authorities
Security researchers have discovered an advanced malware campaign called “Hiatus” that targets business-grade routers, turning them into attacker-controlled listening posts. The malware can steal files, intercept email, and backdoor routers with a remote access Trojan, allowing attackers to run commands and download files. The campaign has been active since at least July 2021 and has primarily infected end-of-life DrayTek Vigor routers.
The researchers suspect that the unknown threat actor behind the campaign deliberately keeps its footprint small to avoid detection. The malware is installed through a bash script that downloads and installs two main binaries: HiatusRAT and a packet-capture binary.