HiatusRAT malware is making headlines again with a series of targeted attacks. Several Taiwanese companies are concerned as well as a server of the Department of Defense in the USA.
A new wave of activity by the authors of this malware has recently been detected. In a context where computer attacks are increasing year after year, concerns about the perseverance of some hackers are also increasing. Indeed, HiatusRAT was already known and listed, but that did not prevent its authors from reiterating by changing tactics to carry out these new attacks.
A new modus operandi to bypass security systems
It had been a while since he had been talked about. HiatusRAT was apparently used between July 2022 and March 2023 to target corporate routers and collect data in Latin America, Europe and the USA. Radio silence since, but it looks like the HiatusRAT writers have put their baby back to work.
These new attacks were swiftly carried out thanks to a technique never before seen by this group of hackers. Malware samples were used. According to Lumen Black Lotus Labs, this software was recompiled for different architectures and hosted on new VPS (Virtual Private Server). Once they are warm on these new servers, hackers can launch reconnaissance attacks and search for vulnerabilities on the targeted computer systems. The big problem that the victims of these attacks have to face is that their origin is for the moment completely unknown.
The targets concerned
This time, the hackers targeted very specific organizations. First, companies responsible for manufacturing semiconductors and chemicals located in Taiwan. An organization in the island state was also involved. Then, one of the United States Department of Defense servers was also targeted. This was partly linked to the management processes inherent in defense contracts. Organizations that therefore hold very sensitive information.
Globally, 100 network devices have been infected with HiatusRAT, which has allowed the passive collection of a large amount of traffic data. Once recovered, these were transformed into a command and control infrastructure (called C2 in the jargon), which allows hackers to maintain communications with infected devices.
All of these attacks were observed between June and August 2023 and demonstrate the persistence of HiatusRAT perpetrators to thwart security systems. These were specifically concocted to tackle Intel 80386, Arm, x86-64, i386, MIPS and MIPS64 architectures. Although the objective of these attacks has not been clearly determined, the targets chosen by the hackers are cause for concern.
Source : The Hacker News
1