In a striking departure from their previous focus on Latin American and European organizations, the HiatusRAT malware campaign has taken a notable shift in tactics, now directing its attention towards a reconnaissance attack on a server within the U.S. Department of Defense. Initially known for compromising DrayTek Vigor VPN routers used by medium-sized businesses, this campaign, as highlighted by Lumen's Black Lotus Labs, surprised observers by extending its reach from mid-June to August. Notably, alongside a U.S. military procurement system, Taiwanese organizations also found themselves in the cross hairs of these cyber threat actors. The evolution of HiatusRAT is evident in its adjusted malware samples, specifically tailored for a range of architectures and hosted on recently acquired virtual private servers (VPSs). Strikingly, one of these VPS nodes facilitated data transfer operations with a U.S. military server designated for contract proposals and submissions. The attackers' targeting of a website associated with contract proposals implies an intention to access publicly available information on military requirements, or potentially uncover data related to Defense Industrial Base (DIB)-affiliated entities.
HiatusRAT Signatures
Family: Trojan:Linux/Multiverze
MD5: ff8e26ec2573f482abbd1a8fdd80fc81
SHA256: 6e21e42cfb93fc2ab77678b040dc673b88af31d78fafe91700c7241337fc5db2
HiatusRAT Download
