These popular VPN routers are being hacked to spread malware

Cybersecurity researchers from Black Lotus Labs recently uncovered a new campaign that uses vulnerable business routers to steal sensitive data and build a covert proxy network.

As reported by BleepingComputer, the researchers discovered that two models of the DrayTek Vigor routers - 2960, and 3900, are being used to distribute a piece of malware called HiatusRAT. 

This remote access trojan is used to download more malicious payloads that execute various commands on the infected endpoint, and turn the device into a SOCKS5 proxy to pass command-and-control server traffic.

Stealing data and running files

The majority of the victims, the report says, are in Europe, North, and South America. The researchers aren’t sure what the initial point of contact for the infected devices is.

Still, they did reverse-engineer the malware and discovered that it steals system data (MAC address, kernel version, etc.), networking data (IP addresses), file system data, and process data (process names, IDs, UIDs, etc.). Furthermore, the RAT sends a heartbeat POST to the server every eight hours, which the attackers use to monitor the infected device.

Furthermore, it can read, delete, and upload files, download and run programs, forward any TCP data set to the host’s listening port, and stop itself if necessary.

The researchers say all of this is needed for the threat actors to be able to grab sensitive data moving through the router.

"Once this packet capture data reaches a certain file length, it is sent to the “upload C2” located at 46.8.113[.]227 along with information about the host router," the researchers explained. “This allows the threat actor to passively capture email traffic that traversed the router and some file transfer traffic."

While not many firms are infected with Hiatus, its impact can still be great, the researchers said, as the hackers can steal email and FTP credentials. 

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/1tbSolj
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us