Cuttlefish Malware : Steals Private Cloud Data

A Malware name , “Cuttlefish” is develop by Chinese hackers according to research of The Black Lotus Labs team. cuttlefish targeting networking equipment, particularly small office/home office (SOHO) routers. cuttlefish is developed to steal authentication material found in web requests (https) that transit the router from the adjacent local area network (LAN). it hijack DNS and HTTP both for connections to private IP space. more function like cuttlefish can interact with other devices on LAN and move material ore create a new agent. There’s code overlap with the HiatusRat malware, suggesting a connection to the People’s Republic of China’s interests. However, no shared victimology is observed, indicating concurrent activity clusters. Hackers using a malware to target routers and other networking equipment used by organizations in Turkey. Researchers from Lumen Technologies’ Black Lotus Labs said that the malware has been active since at least 27 July , 2023 and the latest campaign of infections ran from October 2023 to April 2024.

Technical Details:

• Malicious Files – Bash Script:

Collects host-based data and downloads Cuttlefish.

Network connections source : Black Lotus Labs  The deployed bash script scans the device for information like directory listings, /etc contents, running processes, active connections, and mounts. It compresses this data into a file named “co.tmp.tar.gz” and uploads it to the domain hxxps://kkthreas[.]com/upload. It targets ARM-based devices primarily but has secondary paths for all major router architectures: i386, i386_i686, i386_x64, mips32, and mips64.

• Malicious Files – Primary Payload, Cuttlefish:

Implements packet filtering, hijacking, and credential harvesting.

• Retrieval of RuleSets:

Downloads rules from C2 to update hijacking parameters.

• Credential Harvesting Functionality:

Uses libpcap to eavesdrop on network traffic and steal credentials.

• Logger and Data Transmission Function:

Gzips and uploads intercepted data to C2. Once the filtered traffic log file reaches the specified size, or the maximum size set by the malware (1048576 bytes), Cuttlefish compresses it using gzip and uploads it to the C2 using the previously generated UUID and a hardcoded “tid” value: hxxps://205.185.122[.]121:443/upload?uuid=%s&filename=%s&tid={hex value}”

• Hijack Functionality:

Redirects traffic to private IP addresses and hijacks HTTP connections.

• VPN Functionality:

Sets up VPN connections for data retrieval. A module providing VPN functionality, based on the open-source project n2n, was discovered. It begins by enabling IP forwarding and configuring iptables rules on the compromised host. Then, it retrieves the IP of the hardcoded domain pp.kkthreas[.]com using CloudFlare’s DNS API. Afterward, it downloads rules from the C2 on port 443 and saves them as /tmp/n2nconfigjs. The module reads and parses these rules, setting parameters like hearttime and community. If n2n_status is set to 1, it joins an n2n community, potentially allowing the actors to impersonate legitimate victims’ IP addresses or interact with the local LAN from a private IP address, bypassing some security measures.

• Private Proxy Functionality:

Routes traffic through compromised routers using a proxy. This function, based on the open-source project “socks_proxy,” routes traffic back through the infected device, serving as an alternative to a VPN tunnel. It binds to all external interfaces on a random port and uses hardcoded username and password for socks5 proxy authentication. Unlike proxy services sold to other actors, this proxy pool is assessed to be exclusively used by the cuttlefish actors.

Historical Context for the Campaigns:

Cuttlefish campaigns date back to August 2023, with extensive targeting observed in Turkey. Connections to C2 servers indicate compromises in various sectors, including telecommunications and data centers.

Overlap with HiatusRat:

Cuttlefish shares code similarities with HiatusRat, suggesting a common developer or infrastructure. cuttlefish may modified version of hiatusRat.

Black Lotus Labs Global Telemetry And Analysis:

Victimology predominantly involves Turkish-based IP addresses, with sporadic connections observed in other regions, including the US.

Conclusion:

Cuttlefish represents a sophisticated evolution in malware targeting networking equipment, enabling passive eavesdropping and data theft. Recommendations include monitoring for IoCs and implementing security measures. This information is provided “as is” without any warranty or condition, and its use is at the end user’s risk. Full detailed article about cuttlefish malware by umen Technologies’ Black Lotus Labs Author : [ ultroidxTeam ] Thank you, remember me or bookmark this page for more cyber security related article… once again thank you ! feel free to leave your query in comment box.