Security News > 2023 > March > New malware infects business routers for data theft, surveillance
An ongoing hacking campaign called 'Hiatus' targets DrayTek Vigor router models 2960 and 3900 to steal data from victims and build a covert proxy network.
DrayTek Vigor devices are business-class VPN routers used by small to medium-size organizations for remote connectivity to corporate networks.
The new hacking campaign, which started in July 2022 and is still ongoing, relies on three components: a malicious bash script, a malware named "HiatusRAT," and the legitimate 'tcpdump,' used to capture network traffic flowing over the router.
The purpose of the SOCKS proxy is to forward data from other infected machines through the breached router, obfuscating network traffic and mimicking legitimate behavior.
"Once this packet capture data reaches a certain file length, it is sent to the"upload C2" located at 46.8.113[.]227 along with information about the host router," reads the Black Lotus report.
Black Lotus' scans revealed that as of mid-February 2023, about 4,100 vulnerable DrayTek routers are exposed on the internet, so compromising only 2.4% indicates mannerism.