Cuttlefish | |
Type of Malware | Credential Stealer |
Addittional names | HiatusRat |
Country of Origin | Allegedly China |
Date of initial activity | 2023 |
Targeted Countries | Turkey |
Motivation | To steal authentication data from HTTP GET and POST requests |
Attack Vectors | The method for the initial infection of the routers has yet to be determined, but it could involve exploiting known vulnerabilities or brute-forcing credentials. |
Targeted System | SOHO Routers (Linux) |
Overview
A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gathering authentication data from HTTP GET and POST requests.
Examination and Functionality
Lumen Technologies’ Black Lotus Labs analyzed the malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to discreetly exfiltrate data, bypassing security measures designed to detect unusual sign-ins.
The malware also has the capability to perform DNS and HTTP hijacking within private IP spaces, which can interfere with internal communications and potentially introduce additional payloads.
Code Analysis and Attribution
While Cuttlefish shares some code with HiatusRat—a malware previously observed in campaigns aligned with Chinese state interests—there are no concrete links between the two, making attribution impossible.
Campaign Activity
Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024. This campaign predominantly infected 600 unique IP addresses associated with two Turkish telecom providers.
Targets
Enterprise-grade and small office/home office (SOHO) routers
How they operate
The Cuttlefish malware operates by targeting networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. Here’s a detailed overview of how it operates:
Initial Access and Installation:
The infection vector for Cuttlefish is currently undisclosed, but once a device is compromised, the malware is deployed using a bash script. This script gathers host-based data and sends it to the command-and-control (C2) server. After this reconnaissance, Cuttlefish itself is downloaded and executed on the compromised device.
Functionality:
Packet Inspection and Hijacking: Cuttlefish sets up a packet filter to inspect outbound connections. It targets specific ports and protocols (e.g., UDP/Port 53 for DNS, TCP/Port 80 for HTTP) and monitors traffic for certain activities. If specific conditions are met, it hijacks HTTP requests by inserting a 302 error code to redirect traffic to actor-controlled infrastructure. DNS requests to private IPs are also redirected.
Credential Theft: The malware passively sniffs packets for authentication materials, including usernames, passwords, and tokens used in cloud services (e.g., AWS, Azure). It logs this information and sends it to the C2 server, potentially using it to access cloud resources through a VPN or proxy tunnel.
Modularity: Cuttlefish is modular, allowing it to interact with other devices on the local network once installed. It can move laterally and introduce new agents or malware components.
Persistence and Evasion:
To maintain persistence, Cuttlefish hides itself within the system by using techniques such as hiding files in directories like /tmp/.Pg88s51gQG4tFyImFsT9qy6ZM5TeTF8.so and deleting traces from the file system after execution. It also employs evasion tactics to avoid detection by security tools.
Network Manipulation and VPN/Proxy Usage:
Cuttlefish can create VPN tunnels back through compromised routers or set up proxy functionality using tools like n2n or socks_proxy. This allows threat actors to use the compromised device as a proxy for further attacks or to access internal resources without triggering security alerts.
Geographical and Victim Targeting:
The malware primarily targeted devices in Turkey, with a significant number of infections traced back to specific telecommunications providers. This targeted approach suggests strategic interest in certain geographical regions and network infrastructures.
Overlap with HiatusRat:
There is significant code overlap and operational similarities with HiatusRat, another malware associated with state-backed threat actors from China. This suggests a shared development or operational framework between the two malware families, although victimology remains distinct.
Significant Malware Campaigns
- Hackers with alleged connections to China are using a malware platform called “Cuttlefish” to target routers and other networking equipment used by organizations in Turkey. (May 2024)
