Look at the Big Balls on This RAT
The cybercriminals behind the notorious HiatusRAT malware have emerged from their digital shadows, launching a fresh series of reconnaissance and targeting operations. Their focus? Organizations based in Taiwan and a procurement system belonging to the U.S. military. Lumen Black Lotus Labs, a cybersecurity firm, reported last week that the culprits have been recompiling malware samples for various architectures and hosting the artifacts on new virtual private servers (VPSs).
The firm characterized this wave of activity as “brazen” and “audacious,” (pssst – Thats how you know its China )showing no signs of deceleration. However, the identities and origins of these cybercriminals remain shrouded in mystery. The targets of these attacks are diverse, ranging from commercial entities such as semiconductor and chemical manufacturers to a municipal government organization in Taiwan. Notably, a U.S. Department of Defense (DoD) server, used for submitting and retrieving defense contract proposals, has also been targeted.
The HiatusRAT malware first came into the spotlight in March 2023 when it was found targeting business-grade routers. Its primary victims were located in Latin America and Europe, with the campaign starting in July 2022. The malware infected around 100 edge networking devices worldwide, passively collecting traffic and transforming these devices into a proxy network for command-and-control (C2) infrastructure. The most recent wave of attacks, observed from mid-June through August 2023, involved the use of pre-built HiatusRAT binaries specifically designed for various architectures, including Arm, Intel 80386, x86-64, MIPS, MIPS64, and i386.
Taiwanese IPs in Use, Data Exfilled
Telemetry analysis revealed that over 91% of the inbound connections to the server hosting the malware originated from Taiwan, with a notable preference for Ruckus-manufactured edge devices. The HiatusRAT infrastructure is composed of payload and reconnaissance servers that directly communicate with the victim networks. These servers are controlled by Tier 1 servers, which are, in turn, managed by Tier 2 servers.
The cybercriminals were found to have used two different IP addresses to connect to the DoD server on June 13 for approximately two hours. During this period, an estimated 11 MB of bi-directional data was transferred. While the ultimate goal of these activities is unclear, it’s suspected that the cybercriminals were seeking publicly available information related to current and future military contracts for potential future targeting. This trend of targeting perimeter assets like routers has become increasingly common in recent months.
Surprise, Its Almost Always China
Threat actors affiliated with China have been linked to exploiting security flaws in unpatched Fortinet and SonicWall appliances to establish long-term persistence within target environments. Despite previous disclosures of their tools and capabilities, the threat actor has made only minor changes, swapping out existing payload servers and continuing their operations without any significant reconfiguration of their C2 infrastructure.