An unknown threat actor has discreetly compromised business-grade DrayTek routers in Europe, Latin and North America, equipping them with a remote access trojan (dubbed HiatusRAT) and a packet capturing program. “The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business. We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network,” Lumen researchers have posited . How did it happen? The researchers haven’t been able to pinpoint how the threat actor compromised the devices, but they know what happens next: a deployed bash script retrieves the HiatusRAT and a tcpdump variant. HiatusRAT allows the threat actor to download files or run commands on the router and it serves as a SOCKS5 proxy device. It is capable of collecting information about the router: system-level information such as MAC address and firmware version, as well as information about other files and processes running on it. But it can also collect network information to pinpoint local IP and MAC addresses of the other devices on the adjacent LAN, which can come in handy at […]
Click here to view original web page at www.helpnetsecurity.com
