One hundred or more businesses in North and South America and Europe have been impacted by the ongoing Hiatus hacking campaign that exploits DrayTek Vigor routers to facilitate data exfiltration and establish a covert proxy network, BleepingComputer reports.
Vulnerable DrayTek 2960 and 3900 routers that have been compromised by attackers will have a bash script deployed to enable the download of the Hiatus RAT malware and the tcpdump utility for router network traffic capturing, a report from Lumen's Black Lotus Labs showed.
Researchers noted that HiatusRAT not only facilitates additional payload downloads and command execution but also enables device conversion into a SOCKS5 proxy. Aside from collecting system data, networking data, file system details, and process information, HiatusRAT also has the capability to deliver a heartbeat post to the command-and-control server to allow router status tracking.
Meanwhile, the bash script also prompts the installation of a packet-capturing tool for obtaining TCP port network traffic, enabling data exfiltration.