Pierluigi Paganini May 01, 2024

A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data.

Researchers at Lumen’s Black Lotus Labs discovered a new malware family, named Cuttlefish, which targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data from internet traffic.

The malware creates a proxy or VPN tunnel on the compromised router to exfiltrate data, and then uses stolen credentials to access targeted resources. 

Cuttlefish has a modular structure, it was designed to primarily steal authentication data from web requests passing through the router from the local area network (LAN). The malicious code can also perform DNS and HTTP hijacking within private IP spaces. Additionally, it can interact with other devices on the LAN and transfer data or deploy new agents. The researchers observed similarities in code and build paths with a previously reported malware called HiatusRat, linked to China. Although there’s code overlap, no shared victimology has been observed, suggesting that these malware families operate concurrently.

“The Cuttlefish malware offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge. Any data sent across network equipment infiltrated by this malware, is potentially exposed.” reads the Lumen’s Black Lotus researchers. “What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses. Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset.”

The malware has been active since at least July 27, 2023, with indications of earlier versions. The recent campaign spanned from October 2023 to April 2024. The experts noticed that the infection chain was distinct, with 99% of infections originating in Turkey, primarily from two major telecommunications providers. These providers comprised around 93% of infections, totaling 600 unique IP addresses. Other non-Turkish victims included IP addresses likely belonging to clients of global satellite phone providers and a potential US-based data center.

The researchers have yet to determine the initial access vector, however, they believe threat actors could have exploited known vulnerabilities or carried out brute-forcing credentials. Upon gaining access to the routers, the attackers deploy a bash script that gathers certain host-based data to send to the C2. The bash script also downloads and executes Cuttlefish.

The binary analyzed by the researchers is compiled for all major architectures used by SOHO operating systems. 

The malware passively monitors network packets for “credential markers,” including usernames, passwords, and authentication tokens. Cuttlefish primarily targets public cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.

The Black Lotus Labs report highlights that targeted services are used for storing sensitive data. This approach enables threat actors to potentially copy data from cloud resources lacking the logging or controls commonly present in traditional network perimeters.

The malware store the stolen data in the log, then when the log file of filtered traffic reaches a specified size, Cuttlefish compresses it using gzip and uploads it to the C2 server using a computed uuid and a predefined value of “tid”.

Cuttlefish redirects DNS requests for private IP addresses to a specified DNS server and manipulates HTTP requests to reroute traffic to an infrastructure under the control of its operators using HTTP 302 error codes. This capability suggests that Cuttlefish can hijack internal or site-to-site traffic, enabling access to secured resources not exposed on the Internet.

“Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment, allowing an actor to adapt and overcome the TLS configurations adopted by more modern enterprises.” concludes the report. “We also believe these innovations are the next generation in malware capabilities; the ability to eavesdrop and perform DNS and HTTP hijacking has seldom been observed – the few publicly identified campaigns include ZuoRat, VPNFilter, Attor, and Plead. However, this is the first instance where we have seen rules specifically designed to seek out private IP connections to hijack.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)