The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system.
Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.
The cybersecurity firm described the activity cluster as “brazen” and “one of the most audacious,” indicating no signs of slowing down. The identity and the origin of the threat actors are presently unknown.
Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts.
HiatusRAT was first disclosed by the cybersecurity company in March 2023 as having targeted business-grade routers to covertly spy on victims primarily located in Latin America and Europe as part of a campaign that commenced in July 2022.
As many as 100 edge networking devices globally were infected to passively collect traffic and transform them into a proxy network of command-and-control (C2) infrastructure.
The latest set of attacks, observed from mid-June through August 2023, entail the use of pre-built HiatusRAT binaries specifically designed for Arm, Intel 80386, and x86-64 architectures, alongside MIPS, MIPS64, and i386.
A telemetry analysis to determine connections made to the server hosting the malware has revealed that “over 91% of the inbound connections stemmed from Taiwan, and there appeared to be a preference for Ruckus-manufactured edge devices.”
The HiatusRAT infrastructure consists of payload and reconnaissance servers, which directly communicate with the victim networks. These servers are commandeered by Tier 1 servers, which, in turn, are operated and managed by Tier 2 servers.
The attackers have been identified as using two different IP addresses 207.246.80[.]240 and 45.63.70[.]57 to connect to the DoD server on June 13 for approximately a period of two hours. 11 MB of bi-directional data is estimated to have been transferred during the period.
It’s not clear what the end goal is, but it’s suspected that the adversary may have been looking for publicly available information related to current and future military contracts for future targeting.
The targeting of perimeter assets such as routers has become something of a pattern in recent months, with China-affiliated threat actors linked to the exploitation of security flaws in unpatched Fortinet and SonicWall appliances to establish long-term persistence within target environments.
“Despite prior disclosures of tools and capabilities, the threat actor took the most minor of steps to swap out existing payload servers and carried on with their operations, without even attempting to re-configure their C2 infrastructure,” the company said.