Cuttlefish, this malware active since July 2023, resurfaced by infecting 600 unique IP addresses between October 2023 and April 2024.
“ Eight arms to hold you “, this is how LUMEN, the company Lumen Technologie, analyzes the malware campaign called ” Cuttlefish ”, (cuttlefish in English). That says a lot about his abilities.
This is because it is necessary to deploy a huge arsenal of malicious tools to penetrate without being seen, via the zero click attack, the routers of small businesses or professional home networks, on the one hand, and to spread by taking advantage of their vulnerabilities for hijacking attacks.
Zero click: the formidable attack of Cuttlefish
If we often hear about zero day attacks (like the one that Apple’s iOS update in March 2024 managed to thwart, during which hackers took advantage of a flaw as soon as it this was discovered, and above all, before it was corrected), the zero click attack is less common and this is perhaps what makes it all the more dangerous at the moment as it is already formidable .
The term zero click refers to a category of cyberattacks that require no interaction from the victim to be executed. In this case, Cuttlefish can infiltrate and operate on a system without the user having to click on a malicious link or open an infected file. This ability makes Cuttlefish particularly dangerous, as it can bypass traditional defense mechanisms that rely on user action to trigger infection.
Zero click attacks like this are difficult to detect and prevent because they can occur without warning signs, leaving little trace until the damage is already done.
Cuttlefish, a modular malware capable of DNS and HTTP hijacking
“ This malware is modular, designed primarily to steal authentication material found in web requests that pass through the router from the adjacent local area network (LAN). “, explains the report from the Black Lotus Labs team at Lumen Technologies.
Cuttlefish malware is described as modular, as it is made up of various independent components that can be added, removed, or updated without disrupting the overall operation of the program. This modular architecture allows hackers to customize the attack based on their specific objectives and the victim’s network environment. Cuttlefish is also capable of DNS and HTTP hijacking, its designers having equipped it with specific modules to intercept and manipulate network traffic. By hijacking DNS queries, the malware can redirect traffic to servers controlled by the attackers, while HTTP hijacking can alter web communications to inject malicious content or steal sensitive information.
Lumen’s report also states that Cuttlefish uses these hijacking techniques primarily for connections to private IP addresses, which is associated with communications on an internal network. This suggests that attackers are seeking to remain discreet and maintain a persistent presence within the targeted network. By targeting private IP addresses, Cuttlefish can potentially access data and systems that are not normally accessible from outside the company network, increasing the scope of the attack without raising suspicion. A behavior of ambush, camouflage and discretion before deploying its weapons which furiously resemble that of a cuttlefish which hunts at the bottom of the seas.
Source : The Hacker News, Lumen
Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from the Facebook generation that still fascinates the internal war between Mac and PC. As a wise woman, the Internet, its tools, practices and regulation are among my favorite hobbies (that, lineart, knitting and bad jokes). My motto: to try it is to adopt it, but in complete safety.
Read other articles
0