Contents:
Threat actors launched a reconnaissance attack against a server belonging to the U.S. Department of Defense, as part of HiatusRAT Malware Campaign. The adversaries also targeted Taiwan-based organizations, such as several companies and a municipal government institution.
HiatusRAT was first observed at the beginning of 2023, targeting organizations in Europe and Latin America. By March, researchers identified more than 100 victims of the malware.
Reportedly, HiatusRAT targeted high-bandwidth routers and enabled hackers to steal data, execute commands, and build a stealthy proxy network. The compromised systems are further used for command-and-control server communication.
More About HiatusRAT`s Current Activities
Although security researchers revealed at least some of the group`s activities and methods, the hackers continued their operations the same way.
They even revamped malware samples for different architectures that contained the previously revealed command-and-control servers. The new malware was eventually hosted on different Virtual Private Servers (VPSs).
The attack targeting a U.S. Defense Department server and the Taiwan-based organizations, however, suggests a change of focus.
Researchers observed the hackers two different IP addresses to connect to a U.S. server used for submitting and retrieving proposals for defense contracts:
– 207.246.80[.]240
and
– 45.63.70[.]57
In June, for two hours, researchers noticed that more than 11MBs of sampled bi-directional data were transferred. The IP address 207.246.80[.]240 initiated a brief connection to the server, for 5 minutes. After the session ended, hackers established another 90–minute connection from the IP address 45.63.70[.]57.
Security specialists believe the malicious actors were searching for publicly available resources regarding military contracts. Military requirements or names of organizations involved in the Defense Industrial Base (DIB)could be of interest for hackers, if they are planning subsequent targeting.
How to Avoid a HiatusRAT Attack
Network monitoring and DNS filtering are critical in preventing malware deployment and data exfiltration. You can use this kind of tool to protect both your company`s network and its endpoints.
AI & Machine Learning algorithms are capable of recognizing if a domain is malicious. Further on, the DNS filtering engine will stop any potentially malicious inbound or outbound traffic.
Read here to find out how you can use Heimdal`s DNS Security tool to block malicious connections, prevent data leakage, and detect advanced malware.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;