Heimdal
article featured image

Contents:

Threat actors launched a reconnaissance attack against a server belonging to the U.S. Department of Defense, as part of HiatusRAT Malware Campaign. The adversaries also targeted Taiwan-based organizations, such as several companies and a municipal government institution.

HiatusRAT was first observed at the beginning of 2023, targeting organizations in Europe and Latin America. By March, researchers identified more than 100 victims of the malware.

Reportedly, HiatusRAT targeted high-bandwidth routers and enabled hackers to steal data, execute commands, and build a stealthy proxy network. The compromised systems are further used for command-and-control server communication.

More About HiatusRAT`s Current Activities

Although security researchers revealed at least some of the group`s activities and methods, the hackers continued their operations the same way.

They even revamped malware samples for different architectures that contained the previously revealed command-and-control servers. The new malware was eventually hosted on different Virtual Private Servers (VPSs).

The attack targeting a U.S. Defense Department server and the Taiwan-based organizations, however, suggests a change of focus.

Researchers observed the hackers two different IP addresses to connect to a U.S. server used for submitting and retrieving proposals for defense contracts:

– 207.246.80[.]240

and

– 45.63.70[.]57

In June, for two hours, researchers noticed that more than 11MBs of sampled bi-directional data were transferred. The IP address 207.246.80[.]240 initiated a brief connection to the server, for 5 minutes. After the session ended, hackers established another 90–minute connection from the IP address 45.63.70[.]57.

Security specialists believe the malicious actors were searching for publicly available resources regarding military contracts. Military requirements or names of organizations involved in the Defense Industrial Base (DIB)could be of interest for hackers, if they are planning subsequent targeting.

How to Avoid a HiatusRAT Attack

Network monitoring and DNS filtering are critical in preventing malware deployment and data exfiltration. You can use this kind of tool to protect both your company`s network and its endpoints.

AI & Machine Learning algorithms are capable of recognizing if a domain is malicious. Further on, the DNS filtering engine will stop any potentially malicious inbound or outbound traffic.

Read here to find out how you can use Heimdal`s DNS Security tool to block malicious connections, prevent data leakage, and detect advanced malware.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE