A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests.
“This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN),” the Black Lotus Labs team at Lumen Technologies said in a report published today.
“A secondary function gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space, associated with communications on an internal network.”
There is source code evidence suggesting overlaps with another previously known activity cluster called HiatusRAT, although no shared victimology has been observed to date. It’s said that these two operations are running concurrently.
Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers.
The exact initial access vector used to compromise networking equipment is unclear. However, a successful foothold is followed by the deployment of a bash script that gathers host data, such as the contents of /etc, running processes, active connections, and mounts, and exfiltrates the details to an actor-controlled domain (“kkthreas[.]com/upload”).
It subsequently downloads and executes the Cuttlefish payload from a dedicated server depending on the router architecture (e.g., Arm, i386, i386_i686, i386_x64, mips32, and mips64).
A noteworthy aspect is that the passive sniffing of the network packets is primarily designed to single out authentication data associated with public cloud-based services such as Alicloud, Amazon Web Services (AWS), Digital Ocean, CloudFlare, and BitBucket by creating an extended Berkeley Packet Filter (eBPF).
This functionality is governed based on a ruleset that dictates the malware to either hijack traffic destined to a private IP address, or initiate a sniffer function for traffic heading to a public IP in order to steal credentials if certain parameters are met.
The hijack rules, for their part, are retrieved and updated from a command-and-control (C2) server set up for this purpose after establishing a secure connection to it using an embedded RSA certificate.
The malware is also equipped to act as a proxy and a VPN to transmit the captured data through the infiltrated router, thereby allowing the threat actors to use the stolen credentials to access targeted resources.
“Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment […] as it combines multiple attributes,” the cybersecurity firm said.
“It has the ability to perform route manipulation, hijack connections, and employs passive sniffing capability. With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem.”
