HiatusRAT, a notable malware since its emergence in 2021, exhibits a distinctive focus on network devices, particularly routers. Its capabilities span from packet analysis with a tailored tcpdump tool, to executing diverse commands received from a command server. By infecting routers, it reaches all the traffic that goes in and out the network.
HiatusRAT boasts versatile functionalities, including setting up SocksV5 proxies, file manipulation, remote shell generation, and self-destruct capabilities. Its agility in targeting routers underscores its potential to compromise and control network infrastructure with finesse. Most probably, it is backed by Chinese state-sponsored threat actors.
HiatusRAT Overview
Initially, I was looking at HiatusRAT from the perspective of its network architecture. Instead of infecting computers or servers, this RAT is injected into networking devices. This strategy has been in place since its emergence in late 2021. Rather than compromising individual computers within the network, HiatusRAT aims to control routers.
Such an approach may actually be even more effective, as routers serve as gateways for vast volumes of information. However, HiatusRAT doesn’t shy away from delivering supplementary payloads to the targeted systems. In addition to conducting network sniffing, these compromised router networks double as proxy servers. This duality effectively conceals the true IP address from the intended server.
| Name | HiatusRAT |
| Detection | HiatusRAT |
| Threat type | Remote-access Trojan |
| Damage | Parasites on networking equipment, sniffs all the network traffic, allows for malware injection. |
| Similar Behavior | |
| Fix Tool | See If Your System Has Been Affected by HiatusRAT Virus |
As a payload propagation target, the attackers search for business-grade network routers with vulnerable firmware. Initially, the botnet targeted Draytek routers, specifically the Vigor 2960 and 3900 models. Those are outdated and apparently have some flaws in their software. As time passed, the malware evolved to infiltrate routers with chipsets founded on Arm, i386, x86-64, and MIPS/MIPS64 architectures. This expanded scope covers a significant array of devices. Notably, updates to network infrastructure firmware tend to be implemented even more cautiously than updates to regular software.
HiatusRAT Technical Analysis
The exact sequence for injecting the RAT into the router remains unclear. However, it’s evident that upon initial access, attackers run a batch script that downloads the payload and an auxiliary tcpdump tool, specialized for packet analysis.
Once activated, HiatusRAT immediately removes any competing processes on the 8816 port. If present, the malware halts one process and proceeds with its regular launch. The subsequent step involves gathering foundational information about the host device. This encompasses the MAC address, architecture, firmware, kernel versions, file system details, and potentially stored internal memory files.
With these checks complete, the malware references a compact JSON file, likely housing its configuration. Inside, the RAT acquires the C2 server addresses. Alongside the primary server, a secondary server receives packages from the modified tcpdump tool. The initial communication with the control server takes the form of a classic HTTP POST request. This request transmits several fields containing basic system data collected in the previous step.
Host: 104.250.48[.]192:443
Accept: */*
Content-Type: application/json
X_UTIME: 1674762549
X_UUID: 005056c00001
X_TOKEN: ffca0c6ca91ce7070c3e5e41d7c983a2
Functionality Review
I already mentioned the tcpdump-like tool that contributes significantly to the RAT’s functionality. However, the tool’s capabilities extend beyond this point. Hiatus can receive diverse commands from the command server, which can modify its functionality or even compel the malware to self-destruct. Curiously, some of these functions have remained unused until now, despite being available since the malware’s initial release in 2021. Here’s a breakdown of some of the available commands.
| Command | Description |
|---|---|
| Tcp_forward | Configures forwarding rules with designated IP and port configurations. These changes are applied to the router settings, resulting in the forwarding of TCP traffic through the specified port. |
| File | Specifies a file to be read, deleted, or uploaded on the infected host. This command provides guidance for managing files on the compromised device. |
| Script | Similar to the Executor command, this command downloads and runs a script from the C2 server. It plays a role in the malware’s delivery mechanism. |
| Shell | Generates a remote shell on the compromised router. This shell instance works in conjunction with the Execute and Script commands, collectively forming the malware delivery mechanism. |
| Socks5 | Establishes a SocksV5 proxy on the compromised device. This proxy facilitates port forwarding and listening in accordance with RFC 1928. |
| Quit | A self-explanatory command that forces the malware to self-destruct, terminating all ongoing operations. |
| Executor | Issues commands to download and execute a file from the command server. This command effectively serves as a means to execute remote files. |
Real-world applications
The continuous cyberattack targeting Taiwanese enterprises and a government entity first surfaced in August 2023. Researchers who had previously examined the HiatusRAT botnet, identified a fresh surge in connections emanating from Taiwanese IP address zones. Subsequently, a series of cyberattacks struck chemical production facilities, semiconductor manufacturers, and a municipal body were uncovered. They surely corelate, especially considering that key damage of these attacks was a huge data leak.
The scenario concerning the U.S. Department of Defence follows a different trajectory. The same research team detected incoming traffic to the botnet’s IP addresses, originating not only from Taiwan but also from the U.S. It was revealed that the malicious actors behind the RAT exploited a Tier 2 server to establish a link with the DoD server dedicated to defense contracts proposals. Thankfully, no substantial breach ensued, indicating hackers likely engaged in preliminary reconnaissance before potential future actions.
How to protect against HiatusRAT?
There are not much you can do against such a tricky malware once it is inside. Resetting the router is an option, but there is also a much more effective alternative. Moreover, there is also a need for a well-done anti-malware program – let me explain what for.
Ensure the regular updating or upgrading of your networking devices. Given that vulnerable router firmware is the prime target for malware injection, maintaining up-to-date firmware is crucial. Stay vigilant regarding malware attacks executed through networking device vulnerabilities. Typically, manufacturers release updates within weeks. However, in certain cases, aging devices may reach end-of-life status and cease to receive support. In such situations, opting for device replacement becomes the most effective and definitive strategy to eliminate potential hazards.
Perfect anti-malware program will serve as a second line of defense. If bad things happen and malware manages to get into your router, it is better to give it 0 chances for further mischief. As I mentioned above, HiatusRAT is capable of delivering malware to the systems connected to the compromised router, using specific commands from the C2. To prevent malware from running in your system, regardless of its source, I’d recommend using GridinSoft Anti-Malware.
Remove HiatusRAT with Gridinsoft Anti-Malware
We have also been using this software on our systems ever since, and it has always been successful in detecting viruses. It has blocked the most common remote access trojans as shown from our tests with the software, and we assure you that it can remove HiatusRAT as well as other malware hiding on your computer.
To use Gridinsoft for remove malicious threats, follow the steps below:
1. Begin by downloading Gridinsoft Anti-Malware, accessible via the blue button below or directly from the official website gridinsoft.com.
2.Once the Gridinsoft setup file (setup-gridinsoft-fix.exe) is downloaded, execute it by clicking on the file.
3.Follow the installation setup wizard's instructions diligently.
4. Access the "Scan Tab" on the application's start screen and launch a comprehensive "Full Scan" to examine your entire computer. This inclusive scan encompasses the memory, startup items, the registry, services, drivers, and all files, ensuring that it detects malware hidden in all possible locations.
Be patient, as the scan duration depends on the number of files and your computer's hardware capabilities. Use this time to relax or attend to other tasks.
5. Upon completion, Anti-Malware will present a detailed report containing all the detected malicious items and threats on your PC.
6. Select all the identified items from the report and confidently click the "Clean Now" button. This action will safely remove the malicious files from your computer, transferring them to the secure quarantine zone of the anti-malware program to prevent any further harmful actions.
8. If prompted, restart your computer to finalize the full system scan procedure. This step is crucial to ensure thorough removal of any remaining threats. After the restart, Gridinsoft Anti-Malware will open and display a message confirming the completion of the scan.
Remember Gridinsoft offers a 6-day free trial. This means you can take advantage of the trial period at no cost to experience the full benefits of the software and prevent any future malware infections on your system. Embrace this opportunity to fortify your computer's security without any financial commitment.
Trojan Killer for “HiatusRAT” removal on locked PC
In situations where it becomes impossible to download antivirus applications directly onto the infected computer due to malware blocking access to websites, an alternative solution is to utilize the Trojan Killer application.
There is a really little number of security tools that are able to be set up on the USB drives, and antiviruses that can do so in most cases require to obtain quite an expensive license. For this instance, I can recommend you to use another solution of GridinSoft - Trojan Killer Portable. It has a 14-days cost-free trial mode that offers the entire features of the paid version. This term will definitely be 100% enough to wipe malware out.
Trojan Killer is a valuable tool in your cybersecurity arsenal, helping you to effectively remove malware from infected computers. Now, we will walk you through the process of using Trojan Killer from a USB flash drive to scan and remove malware on an infected PC. Remember, always obtain permission to scan and remove malware from a computer that you do not own.
Step 1: Download & Install Trojan Killer on a Clean Computer:
1. Go to the official GridinSoft website (gridinsoft.com) and download Trojan Killer to a computer that is not infected.
2. Insert a USB flash drive into this computer.
3. Install Trojan Killer to the "removable drive" following the on-screen instructions.
4. Once the installation is complete, launch Trojan Killer.
Step 2: Update Signature Databases:
5. After launching Trojan Killer, ensure that your computer is connected to the Internet.
6. Click "Update" icon to download the latest signature databases, which will ensure the tool can detect the most recent threats.
Step 3: Scan the Infected PC:
7. Safely eject the USB flash drive from the clean computer.
8. Boot the infected computer to the Safe Mode.
9. Insert the USB flash drive.
10. Run tk.exe
11. Once the program is open, click on "Full Scan" to begin the malware scanning process.
Step 4: Remove Found Threats:
12. After the scan is complete, Trojan Killer will display a list of detected threats.
13. Click on "Cure PC!" to remove the identified malware from the infected PC.
14. Follow any additional on-screen prompts to complete the removal process.
Step 5: Restart Your Computer:
15. Once the threats are removed, click on "Restart PC" to reboot your computer.
16. Remove the USB flash drive from the infected computer.
Congratulations on effectively removing HiatusRAT and the concealed threats from your computer! You can now have peace of mind, knowing that they won't resurface again. Thanks to Gridinsoft's capabilities and commitment to cybersecurity, your system is now protected.
Frequently Asked Questions (FAQ)
Reformatting your storage device should only be considered as a last resort for removing HiatusRAT malware. Prior to taking such drastic action, it is advisable to perform a comprehensive scan using trustworthy antivirus or anti-malware software.
Malware poses a significant risk to the security and privacy of sensitive information, potentially leading to identity theft, financial loss, and unauthorized access to personal accounts. Furthermore, it can disrupt the normal operation of a system, causing performance issues, system crashes, and data corruption.
The purpose of HiatusRAT is to enable remote access and control of compromised devices. It allows threat actors to perform various malicious activities, such as unauthorized access, data theft, system manipulation, and disabling security measures, potentially causing significant harm to individuals and organizations.
Gridinsoft Anti-Malware has the ability to identify and eliminate most malware infections. Nevertheless, it is crucial to recognize that sophisticated malware can remain hidden deep within the system. Consequently, conducting a complete system scan is imperative to detect and eradicate malware.
How to Remove HiatusRAT Malware
Name: HiatusRAT
Description: HiatusRAT, a significant cyber threat emerging in 2021, exhibits a distinct focus on compromising routers and networking devices. Equipped with a specialized tcpdump tool, it conducts packet analysis and executes diverse commands received from its command server. Its adaptable functionalities encompass setting up proxy servers, file manipulation, remote shell generation, and self-destruction. To counter its menace, regular updating of vulnerable router firmware is essential. Monitoring for malware attacks stemming from device vulnerabilities is crucial, with manufacturers often releasing updates promptly. In cases of outdated and unsupported devices, replacement becomes the most reliable mitigation strategy against this versatile and evolving threat.
Operating System: Windows
Application Category: Malware
