The Black Lotus Labs team tracks Cuttlefish, a modular malware platform targeting enterprise-grade SOHO routers to steal authentication material and hijack DNS/HTTP traffic. It combines passive packet sniffing, in-network hijacking, and LAN propagation with VPN/proxy capabilities to exfiltrate data and maintain persistence, largely focused on Turkey with overlaps to HiatusRat in code and methodologies. #Cuttlefish #HiatusRat #BlackLotusLabs #LumenTechnologies #PRC #Turkey
Keypoints
- The Cuttlefish malware targets networking equipment (SOHO/enterprise routers) and primarily seeks authentication material in web requests traversing the LAN.
- It can perform DNS and HTTP hijacking for connections to private IP space, plus passive packet sniffing to capture credentials.
- The threat uses a rule-driven approach, downloading/update rules from C2 to adjust hijack behavior and sniff targets.
-
MITRE Techniques
- [T1059.004] Unix Shell β The threat uses a bash script to enumerate the device and download/exeCute payloads. βThe threat actor deploys a bash script that gathers certain host-based data to send to the C2.β
- [T1082] System Information Discovery β The bash script enumerates the device, listing directories, /etc contents, running processes, connections, and mounts. βThe bash script begins to enumerate the device, looking for details such as the directory listing, the contents of β/etc,β running processes, active connections (via netstat), and the mounts.β
- [T1040] Network Sniffing β The malware uses a packet sniffer (libpcap/eBPF) to eavesdrop and hunt for credentials in transit. βThe sample uses libpcap to create an extended Berkeley Packet Filter (eBPF) for eavesdropping and hijacking IP ranges.β
- [T1560] Archive Collected Data β It compresses collected data into co.tmp.tar.gz before exfiltration. βit compresses all data and names the file βco.tmp.tar.gz.ββ
- [T1071.004] DNS β DNS hijacking for private IPs; DNS requests are redirected to a configured DNS server. βIf the agent observes a DNS request to a private IP, it redirects the request to a DNS server in the configuration file.β
- [T1071.001] Web Protocols β HTTP hijacking via 302 redirection to actor-controlled infrastructure. βHTTP requests are purloined by inserting a 302-error codeβ¦ into the data stream, allowing the connection to be redirected toward actor-controlled infrastructure.β
- [T1090] Proxy β VPN or proxy tunnels back through the router to weaponize stolen credentials. βthe threat actor creates either a VPN or proxy tunnel back into the compromised router.β
- [T1572] Protocol Tunneling β The VPN/tunnel behavior effectively tunnels traffic to/from C2, enabling persistence and data access. βVPN or proxy tunnel back through the compromised routerβ¦β
Indicators of Compromise
- [Domain] β kkthreas[.]com, fadsdsdasaf2233[.]com, and related infrastructure used for C2/file delivery
- [IP Address] β 198.98.56.93, 205.185.122.121, 209.141.49.178, 114.114.114.114
- [URL] β https://kkthreas[.]com/upload, https://205.185.122[.]121:443/upload?uuid=UUID_CREATED_EARLIER
- [File/Directory] β co.tmp.tar.gz, /.timezone, /tmp/log.txt, /tmp/config.js, /tmp/thconfigjs, /tmp/.Pg88s51gQG4tFyImFsT9qy6ZM5TeTF8.so
- [Certificate] β Self-signed X.509 certificate with common name 192.168.10.39
- [IP/Domain] β 114.114.114.114 (DNS hijack target), 2.2.2.2 (IP used in DNS field)
Read more: https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/