Cyber solutions provider Lumen Technologies has detected malware that targets Taiwanese organizations and researches US military websites.
Lumen’s intelligence segment, Black Lotus Labs, first identified the cyber threat in March 2023. Currently, the malware continues to affect international business-grade routers.
HiatusRAT
Called the HiatusRAT (Remote Access Trojan), the virus remotely interacts and employs pre-built functionality to compromise a machine, turning it into a covert proxy.
The malware infected approximately 100 victims during its surge, most in Latin America and Europe. Its latest version became active in July 2022, while the threat’s focus shifted in July 2023.
Black Lotus discovered HiatusRAT just nine months after identifying ZuoRAT, a separate novel malware consistent with China’s strategic interests targeting small office and home office or SOHO routers.
“While we acknowledge that all threat actors have different tolerances when it comes to public disclosures, this activity cluster ranks as one of the most audacious Black Lotus Labs has observed,” Lumen stated.
“Despite prior disclosures of tools and capabilities, the threat actor took the most minor of steps to swap out existing payload servers and carried on with their operations.”
“This highlights the difficulty of dealing with edge and IoT-based malware, as there currently is no universal mechanism to clean up these devices.”
‘Warning’ for Businesses
In response, the Lumen team launched a campaign to equip new, null-routed Hiatus command and control servers across its global assets.
Indicators of Compromise were also added to the company’s Rapid Threat Defense, an approach using automated threat detection and response to secure associated product portfolios from threats before reaching the customer’s network.
“Sophisticated threat actors, especially those sponsored by nation states, are exploiting edge routers and similar devices,” Black Lotus Threat Intelligence Director Mark Dehus explained.
“They use malware like HiatusRAT to discreetly gain access to these devices and covertly run their espionage and criminal networks without the device owners’ knowledge.”
“It’s a warning that businesses must act now to avoid their infrastructure becoming part of adversaries’ ongoing operations.”
