Cuttlefish, a new strain of malware, has been discovered targeting small office and home office (SOHO) routers. This malicious software is engineered to discreetly monitor all traffic passing through these devices and extract authentication data from web requests, particularly HTTP GET and POST requests. The Black Lotus Labs team at Lumen Technologies, who reported on the malware, described it as modular and primarily focused on capturing authentication materials from traffic within the local area network. Additionally, Cuttlefish has capabilities for DNS and HTTP hijacking, specifically targeting connections to private IP spaces within internal networks.
The malware has been active since at least July 2023, with its activities ramping up from October 2023 through April 2024. It predominantly affects routers connected to two major Turkish telecom providers, compromising around 600 unique IP addresses so far. The initial method of intrusion into the networking equipment remains unclear, but once inside, Cuttlefish deploys a bash script that collects and sends extensive host data to a control server operated by the attackers.
Cuttlefish is designed to function on various router architectures, including Arm and several versions of i386 and MIPS. A notable feature of this malware is its use of extended Berkeley Packet Filter (eBPF) to passively sniff network packets, specifically aiming to intercept authentication data related to public cloud services like AWS, CloudFlare, and Digital Ocean. The malware filters traffic based on a set of rules, deciding whether to hijack traffic or initiate sniffing to capture credentials, depending on the destination IP address.
Moreover, the hijack rules are dynamically managed through updates from a command-and-control (C2) server, with which it maintains a secure connection using an embedded RSA certificate. Cuttlefish is also capable of acting as a proxy and a VPN, rerouting the captured data through the compromised router. This functionality not only allows the attackers to use the stolen credentials to access cloud resources associated with the targeted entity but also provides them with deeper access into the victim’s cloud ecosystem. The capabilities of Cuttlefish represent a significant evolution in malware targeting network edge equipment, combining route manipulation, connection hijacking, and sophisticated eavesdropping techniques.
