The HiatusRAT malware is back and has been targeting Taiwan-based organizations and a U.S. military procurement system. Like whack-a-mole, you see it here and then over there:
New research released by Lumen Black Lotus Labs shows the malware has been re-compiled for different architectures and is being hosted on new virtual private servers (VPSs). This current activity is a shift from prior campaigns tracked by Lotus Labs that primarily targeted Latin America and European organizations, and appears synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.
Current targets have included semiconductor and chemical manufacturers, a municipal government organization in Taiwan and a U.S. Department of Defense (DoD) server associated defense contracts.
First disclosed by Lotus Labs in March 2023 as a spying campaign on victims in Latin America and Europe, the activity is reported to have begun in July of 2022. That campaign infected as over 100 edge routers to passively collect traffic, functioning “as a covert network of command and control (C2) infrastructure.”
“Despite prior disclosures of tools and capabilities, the threat actor took the most minor of steps to swap out existing payload servers and carried on with their operations, without even attempting to re-configure their C2 infrastructure. This highlights the difficulty of dealing with edge and IoT-based malware, as there currently is no universal mechanism to clean up these devices.”
Dave Ratner, CEO, HYAS had this to say:
“There may be no good universal mechanism to clean up edge and IOT-based devices, and bad actors will continue to find new ways to infect and infiltrate. Nevertheless, focusing on the adversary infrastructure — the command-and-control (C2) structures that are used — and identifying and blocking the communication with C2 is an important part of a security-in-depth strategy. Organizations who haven’t deployed advanced Protective DNS solutions to do just that will find themselves vulnerable time and again.”
This highlights how difficult it is to get rid of threat actors. Thus prevention has to be strategy until we get to a place where we can take the fight to them.