Skip links

These DrayTek routers are under actual attack – and there’s no patch

If you’re still using post-support DrayTek Vigor routers it may be time to junk them, or come up with some other workaround, as a cunning malware variant is setting up shop in the kit.

The operators behind the Hiatus malware campaign are hijacking DrayTek Vigor router models 2960 and 3900 powered by MIPS, i386 and Arm-based processors to in turn attack businesses in North and Latin America as well as in Europe, according to researchers with Lumen’s Black Lotus Labs threat intelligence unit.

The two DrayTek router models reached end-of-life, in support terms, in December 2021. They are still broadly used, with more than 4,000 vulnerable boxes exposed to the internet, according to scans. The Hiatus crooks have infected at least 100 of them so far, Black Lotus researchers Danny Adamitis and Steve Rudd wrote in a report.

Sadly, it’s not known exactly how the high-bandwidth devices are compromised. But given the hardware is end-of-life, patches may not be forthcoming anyway. Once in, the malware drops a bash script and deploys two malicious executables: a remote access trojan the researchers are calling HiatusRAT, and a variant of the tcpdump network packet analyzer.

The HiatusRAT plays two roles. It first checks for competing processes running on the router’s 8816 port and kills anything found to ensure it’s the only RAT on the router. It then collects information about the infected router – including system-level data like the MAC address and architecture, networking and file information, and a list of processes running – and sends it to a command-and-control (C2) server.

The RAT also can also subvert the router to act as a proxy device, “likely to enable the actor to proxy command-and-control traffic through the router to obfuscate command and control from an additional agent elsewhere,” they wrote. This can be used in further attacks across the network.

The tcpdump binary is used to monitor router traffic on ports used for email and file-transfer communications and capture packets and sends the information to the C2.

Adamitis and Rudd said the current Hiatus campaign apparently began in July 2022 but that there likely were earlier instances of the malware being used. In a Twitter thread, Adamitis wrote that the malware outlined in the report is identified as version 1.5, so “while this latest campaign goes back to July 2022. This activity cluster almost certainly preceded that date.”

“The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business,” the researchers wrote. “We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network.”

According to Black Lotus the key targets are midsize business that run their own mail servers, with kit belonging to pharmaceutical companies, IT services and consulting firms, and a municipal government under active attack.

“We suspect the IT firms were chosen to enable downstream access to customer environments, which could be enabled from collected data like the email traffic gathered by the packet-capture binary,” the researchers wrote.

Malware campaigns targeting routers aren’t new, but they can be very lucrative. Cisco has seen its share of its small business routers be abused by attackers and threat groups like Trickbot and nation-states like China and Russia have used the devices as pathways into IT environments.

Black Lotus last year outlined an unrelated novel malware called ZuoRAT that attacked small office and home office (SOHO) routers to deploy on adjacent LANs and a hacktivist campaign in 2021. The researchers also pointed to a report by the Microsoft Threat Intelligence Team about China-based cybercriminals also targeting SOHO routers to run espionage operations.

However, unlike ZuoRAT, Hiatus is trying to keep a lower profile by passively collecting information without interacting with a high-profile host, which could trigger cybersecurity tools to get its signature.

“This campaign shows the need to secure the router ecosystem,” Adamitis and Rudd wrote. “This type of agent demonstrates that anyone with a router who uses the internet can potentially be a target – and they can be used as proxy for another campaign – even if the entity that owns the router does not view themselves as an intelligence target.” ®