HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack


In a concerning development, the malicious operators responsible for the HiatusRAT malware have resurfaced after a period of inactivity. Their renewed offensive is marked by a series of sophisticated reconnaissance and targeting activities directed at prominent organisations based in Taiwan and even a U.S. military procurement system.

Recent reports from Lumen Black Lotus Labs have revealed that the threat actors, undeterred by their prior exposure, have exhibited audacious behaviour by not only recompiling malware samples for diverse architectures but also hosting them on novel virtual private servers (VPSs). This move signals their determination to continue their operations unabated. Also, read this article: Experts found components of a complex toolkit employed in macOS attacks.

Black Lotus Labs, a cybersecurity firm, has characterised this wave of activity as remarkably bold and relentless. Despite the lack of clarity about the identity and origin of the threat actors, there is no doubt that their intent remains deeply focused on causing disruption and extracting sensitive information.

The targets of this latest surge in cyberattacks encompass a wide spectrum, including commercial entities like semiconductor and chemical manufacturers, as well as a municipal government organisation in Taiwan. Additionally, a server associated with the U.S. Department of Defense (DoD), which handles the submission and retrieval of defence contract proposals, has also been compromised. Mitigate cyberattack by browsing with a VPN service.

The HiatusRAT malware was initially brought to public attention by cybersecurity experts in March 2023. This malware strain was designed to infiltrate business-grade routers covertly, enabling the perpetrators to engage in espionage activities. Primarily aimed at victims in Latin America and Europe, this campaign commenced in July 2022.

This cyber offensive involved infecting approximately 100 edge networking devices globally. These devices were manipulated to passively gather network traffic, subsequently establishing a proxy network of command-and-control (C2) infrastructure.

The most recent wave of attacks, spanning from mid-June to August 2023, saw the use of pre-built HiatusRAT binaries optimised for various architectures, including Arm, Intel 80386, x86-64, MIPS, MIPS64, and i386.

Telemetry data analysis has brought to light that a staggering 91% of inbound connections to the malware's host server originated from Taiwan. Furthermore, there appears to be a preference for Ruckus-manufactured edge devices among the targeted entities.

The intricate HiatusRAT infrastructure includes payload and reconnaissance servers that establish direct communication with victim networks. These servers are controlled by Tier 1 servers, which are in turn overseen by Tier 2 servers, showcasing the complex hierarchy of the attackers' operations. Hide Expert VPN is your best choice of VPN service.

Specific IP addresses, namely 207.246.80[.]240 and 45.63.70[.]57, were traced to the attackers when they connected to the DoD server on June 13. This connection, which lasted for about two hours, facilitated the transfer of an estimated 11 MB of bi-directional data.

The ultimate motive behind these attacks remains unclear; however, experts speculate that the adversaries may be hunting for publicly accessible information pertaining to ongoing and forthcoming military contracts for potential future targeting.

Recent months have witnessed a discernible pattern of targeting perimeter assets like routers. Threat actors affiliated with China have been linked to exploiting vulnerabilities in unpatched Fortinet and SonicWall appliances, thereby establishing enduring footholds within their chosen target environments.

A disconcerting aspect highlighted by Black Lotus Labs is that despite previous exposure to their tools and capabilities, the threat actors have displayed a striking level of complacency. The attackers have shown minimal effort in altering their payload servers, carrying on with their operations without making any significant adjustments to their C2 infrastructure.

As this ongoing cyber saga unfolds, organisations and security experts are urged to remain vigilant and prepared to counter these evolving threats.