Keypoints
- Hiatus targets end-of-life DrayTek Vigor 2960 and 3900 routers and provides precompiled binaries for ARM, i386 and MIPS architectures.
- Post-exploitation, a deployed bash script downloads two executables—HiatusRAT (named like “qwert_8h_{architecture}”) and a tcpdump-based packet-capture binary—and places them in a “database” directory.
- HiatusRAT opens a listener on port 8816, performs host enumeration (MAC, kernel, firmware, network interfaces, ARP, mounts, process list), and sends a heartbeat via HTTP POST to a heartbeat C2 with custom headers and an X_TOKEN checksum.
- Built-in HiatusRAT functions include remote shell, file read/upload/delete, executor/script execution, tcp_forward (TCP relay), and a SOCKS5 proxy to relay or obfuscate command-and-control and other agent traffic.
- The tcpdump variant captures outbound traffic on FTP/SMTP/POP3/IMAP ports (21, 25, 110, 143) and uploads capture files to an upload C2 (observed 46.8.113[.]227).
- Lumen telemetry indicates version 1.5 activity began July 2022 and identified approximately 100 compromised routers (≈2% of exposed DrayTek 2960/3900 devices), suggesting a small, targeted footprint.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Likely leveraged vulnerabilities in end-of-life DrayTek routers to gain initial access (‘operationalized end-of-life DrayTek Vigor models 2960 and 3900’).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – The actor deploys and runs a bash script post-exploitation to fetch payloads (‘a bash script that gets deployed post-exploitation and two executables retrieved by the bash script’).
- [T1105] Ingress Tool Transfer – The campaign downloads and installs HiatusRAT and a packet-capture binary onto the router (‘downloads and executes two malicious binaries – HiatusRAT and a packet-capture binary’).
- [T1082] System Information Discovery – The malware collects system-level details such as MAC, kernel, architecture, and firmware (‘MAC address Kernel version Architecture Firmware release version’).
- [T1016] System Network Configuration Discovery – The agent gathers network data including ifconfig outputs and the ARP cache to discover adjacent LAN hosts (‘ifconfig command outputs and the ARP cache’).
- [T1040] Network Sniffing – The tcpdump variant captures network traffic on mail and file-transfer ports to collect communications from the LAN (‘collects outbound connections associated with the following ports: Port 21… Port 25… Port 110… Port 143’).
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – Heartbeat and data exfiltration use HTTP POST to communicate with the heartbeat C2 (‘heartbeat beacon sent to the heartbeat C2 via HTTP POST’).
- [T1090] Proxy – HiatusRAT implements SOCKS5 and tcp_forward to relay traffic and obscure the origin of other agents (‘sets up a SOCKS version 5 proxy on the compromised router’ and tcp_forward functionality to forward TCP data).
- [T1041] Exfiltration Over C2 Channel – Captured packet files and enumeration data are sent to an upload C2 (observed 46.8.113[.]227) for remote collection (‘it is sent to the “upload C2” located at 46.8.113[.]227’).
Indicators of Compromise
- [IP Address] C2 and upload servers – upload C2: 46.8.113[.]227; example heartbeat host: 104.250.48[.]192:443 (observed in POST header example).
- [File name / Path] Malicious binaries and deployment artifacts – ‘qwert_8h_i386’ (HiatusRAT naming pattern), ‘qwert_8h_{architecture}’, and actor-created directory ‘database’.
- [Port] Listeners and capture ports – HiatusRAT listener port 8816; packet capture targeted ports 21, 25, 110, 143.
- [Token/Hash] Example X_TOKEN checksum used in heartbeat headers – ffca0c6ca91ce7070c3e5e41d7c983a2 (computed MD5 example shown in report).
- [Certificate Metadata] Self-signed X.509 certificates for C2 nodes first observed on July 21, 2022 – used to identify start of version 1.5 activity.
Hiatus deploys a post-exploitation bash script that installs two purpose-built binaries on compromised DrayTek routers: HiatusRAT (distributed as “qwert_8h_{architecture}”) and a tcpdump-based packet-capture tool compiled for ARM, i386, MIPS64 BE and MIPS32 LE. The script places files into a “database” directory and activates HiatusRAT, which ensures a single instance by binding to port 8816, enumerates system and network state (MAC, kernel, firmware, ifconfig output, ARP cache, mounts, process list), and periodically sends a heartbeat via HTTP POST to a hard-coded heartbeat C2 using custom headers and an MD5-based X_TOKEN.
Functionally, HiatusRAT provides remote shell, file read/upload/delete, remote executor, script execution, a tcp_forward TCP relay, and a SOCKS5 proxy per RFC 1928. These features permit the actor to proxy beaconing and command channels for other compromised agents (obfuscating origin and bypassing geo-fencing), download and run additional modules, and interact with passive agents. The tcpdump variant passively captures outbound FTP/SMTP/POP3/IMAP traffic (ports 21, 25, 110, 143) and uploads capture files to an upload C2 (observed 46.8.113[.]227), enabling collection of email and file-transfer data from the router’s adjacent LAN.
Lumen telemetry tied embedded configuration and self-signed certificates to C2 infrastructure first seen July 21, 2022, and identified roughly 100 infected routers (predominantly Europe and Latin America), indicating a small, selective campaign. Defenders should monitor for the listed IPs, filenames, ports, and heartbeat HTTP patterns, and prioritize patching or replacing end-of-life DrayTek devices and restricting management exposure of business-grade routers.