A new campaign using the HiatusRAT malware saw threat actors zeroing in on a server associated with the U.S. Department of Defense. This activity has been interpreted by experts as a reconnaissance effort.

This strategic deviation is noteworthy. Historically, these attacks predominantly honed in on entities in Latin America and Europe. Their primary aim was to compromise business-class DrayTek Vigor VPN routers, tools commonly utilized by mid-tier businesses to connect remotely to their corporate networks.

Lumen’s Black Lotus Labs highlighted a change in the campaign’s reconnaissance efforts, noting a notable pivot between mid-June and August. Not only was a U.S. military procurement system on the radar, but entities based in Taiwan were also under the microscope.

In response to diverse technological ecosystems, the HiatusRAT malware samples underwent recompilation. These changes ensured compatibility with a variety of architectures, from Arm, Intel 80386, and x86-64 to MIPS, MIPS64, and i386. To host this malware, new virtual private servers (VPSs) were secured.

A notable use case of these VPS nodes was its utilization for data transfer activities with a U.S. military server earmarked for contractual proposals and submissions. Given the server’s nexus to contract proposals, experts infer the attackers’ intent may encompass gleaning public details regarding military requisitions or identifying information pertinent to Defense Industrial Base (DIB)-related entities.

Lumen’s Black Lotus Labs shared their insights: The attackers may be zeroing in on public resources tied to present or upcoming military contracts. Their focus on a site related to contract proposals signals an interest in procuring public information on military demands and pinpointing entities under the umbrella of the Defense Industrial Base (DIB) for possible subsequent actions.

Historically, there have been similar attack waves where numerous businesses, primarily from Europe, North America, and South America, fell victim to the HiatusRAT, leading to the creation of a clandestine proxy network.

The primary function of this malware is to introduce supplementary payloads onto breached devices and transform the affected systems into SOCKS5 proxies for streamlined command and control server interactions.

Lumen pointed out a particularly intriguing aspect: Despite revelations about their tools and methods, the threat actors made minimalistic changes. They replaced existing payload servers and persisted with their modus operandi, with no discernible alterations to their command and control infrastructure.

While Lumen hinted at a shift in information-gathering and target preferences that could mirror specific strategic interests from the East, the specifics remain undetermined. In parallel, other attacks on U.S. entities have been reported, with links to different threat groups.

In their final remarks, Lumen opined that the HiatusRAT saga might be indicative of a broader technique potentially levied against the U.S. Defense Industrial Base. They urged defense contractors to maintain vigilance and routinely scrutinize their network devices for traces of HiatusRAT.