Threat Actors are Using Advanced Malware to Backdoor Business-grade Routers

upstart writes:

Hiatus hacking campaign has infected roughly 100 Draytek routers:

Researchers have uncovered advanced malware that's turning business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.

Besides passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote-access Trojan that allows the attackers to download files and run commands of their choice. The backdoor also enables attackers to funnel data from other servers through the router, turning the device into a covert proxy for concealing the true origin of malicious activity.

"This type of agent demonstrates that anyone with a router who uses the Internet can potentially be a target-and they can be used as proxy for another campaign-even if the entity that owns the router does not view themselves as an intelligence target," researchers from security firm Lumen's Black Lotus Labs wrote. "We suspect that threat actors are going to continue to utilize multiple compromised assets in conjunction with one another to avoid detection."

[...] Black Lotus still doesn't know how devices are getting hacked in the first place. Once (and however) that happens, the malware gets installed through a bash script that's deployed post-exploitation. It downloads and installs the two main binaries.

[...] Hiatus is mainly targeting DrayTek routers running an i386 architecture. The researchers, however, have uncovered prebuilt binaries compiled for ARM, MIPS64 big endian, and MIPS32 little endian platforms.

Read more of this story at SoylentNews.