New Cuttlefish Malware Infects Routers to Monitor Traffic for Credentials
-
A new malware dubbed 'Cuttlefish' has emerged, targeting both enterprise-grade and small office/home office (SOHO) routers to monitor and steal data passing through them. Analyzed by Lumen Technologies' Black Lotus Labs, Cuttlefish creates a proxy or VPN tunnel on compromised routers to covertly exfiltrate data, bypassing security measures that detect unusual sign-ins. The malware can also hijack DNS and HTTP within private IP spaces, potentially introducing additional payloads and disrupting internal communications.
Though Cuttlefish shares some code similarities with HiatusRat, previously associated with Chinese state interests, no concrete links between the two have been established, making attribution challenging. Cuttlefish has been active since at least July 2023, with a current campaign focused in Turkey, impacting satellite phone and data center services in other locations. The method of initial router infection remains unclear but may involve exploiting known vulnerabilities or brute-forcing credentials.
Once a router is compromised, Cuttlefish deploys a bash script ("s.sh") to collect host-based data and execute its primary payload (".timezone"), which is loaded into memory to evade detection. The malware supports various router architectures and monitors all connections, passively sniffing for credential markers associated with public cloud services like Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.
Captured data matching predefined parameters are logged locally and then exfiltrated to the command and control (C2) server using a peer-to-peer VPN or proxy tunnel created on the compromised device. Cuttlefish poses a significant threat to organizations worldwide, enabling attackers to evade security measures like network segmentation and endpoint monitoring, remaining undetected in cloud environments for prolonged periods.
