A newly discovered malware dubbed ‘Cuttlefish’ is causing concern among cybersecurity experts as it targets enterprise-grade and small office/home office (SOHO) routers, aiming to monitor data passing through them and pilfer authentication information.
Analysis by Lumen Technologies’ Black Lotus Labs reveals that Cuttlefish operates by creating a proxy or VPN tunnel on compromised routers, enabling discreet exfiltration of data while circumventing security measures designed to detect unusual sign-ins.
The malware’s capabilities extend to performing DNS and HTTP hijacking within private IP spaces, disrupting internal communications and potentially introducing additional payloads.
While Cuttlefish shares some code similarities with the previously observed HiatusRat malware, which has been linked to campaigns aligned with Chinese state interests, concrete attribution remains elusive.
According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, with a current focus on a campaign concentrated in Turkey, although isolated infections have been detected elsewhere, impacting satellite phone and data center services.
Infection Mechanism and Operation:
The precise method of initial router infection remains under investigation but may involve exploiting known vulnerabilities or brute-forcing credentials.
Upon gaining access to a router, Cuttlefish deploys a bash script (“s.sh”) to collect host-based data, including directory listings, running processes, and active connections.
Subsequently, the script downloads and executes the primary Cuttlefish payload (“.timezone”), which is loaded into memory to evade detection, while the downloaded file is erased from the file system.
Technical Details and Defense Measures:
Cuttlefish is available in various builds supporting a wide range of router architectures, ensuring broad compatibility.
Once executed, Cuttlefish employs a packet filter to monitor all connections passing through the compromised device, actively searching for “credential markers” such as usernames, passwords, and tokens associated with public cloud-based services.
Data matching these parameters is logged locally and subsequently exfiltrated to the attacker’s command and control (C2) server via a peer-to-peer VPN or proxy tunnel created on the compromised router.
To counter the threat posed by Cuttlefish, network administrators are advised to eliminate weak credentials, monitor for unusual logins from residential IPs, secure traffic with TLS/SSL encryption, inspect devices for rogue files or configurations, and periodically reboot routers.
For SOHO router users, best practices include regularly rebooting devices, applying firmware updates promptly, changing default passwords, blocking remote access to management interfaces, and replacing routers when they reach end-of-life (EoL).
As the threat landscape continues to evolve, proactive defense measures are crucial to mitigating the risk posed by sophisticated malware such as Cuttlefish.
Leave a Reply