Cuttlefish Malware Steals Credentials Via Routers

Security researchers based at security firm Black Lotus Labs recently discovered a new type of malware infecting enterprise-grade and small office routers to monitor data that passes through them and steal authentication information.

To help facilitate this, the malware can perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications, and possibly introducing more payloads.

Cuttlefish Malware Steals Credentials Via Routers

According to a blog article published by Black Lotus Labs, Cuttlefish malware has been active since at least July 2023. It is currently running an active campaign concentrated in Turkey. A few infections have been detected elsewhere, predominantly impacting satellite phone and data center services.

Researchers further noted,

Cuttlefish also has the ability to interact with other devices on the LAN and move material or introduce new agents. Based upon code similarities in conjunction with embedded build paths, we have found overlap with a previously reported activity cluster called HiatusRat, whose targeting aligns with the interest of the People’s Republic of China. While there is code overlap between these two malware families, we have not observed shared victimology. We assess that these activity clusters are operating concurrently.

At the time of publication, security researchers could not determine the method used by threat actors to gain initial access. The threat actors are likely using a vulnerability that, when correctly exploited, is a bash script that gathers specific host-based data to send to the command and control server and is executed.

The same bash script is then used to download and execute the Cuttlefish malware. At its core, Cuttlefish is a malicious binary compiled for all significant architectures used for major small home and office router manufacturers.

The malware itself consists of several modules in a multistep installation process to install a packet filter to inspect all outbound connections and use specific ports, protocols, and destination IP addresses.

This is done to monitor traffic constantly. When traffic is found of particular interest to the threat actors, they create a VPN or proxy tunnel back into the compromised router to weaponize the stolen tokens and retrieve data hosted on cloud resources.

Researchers noted,

We assess that Cuttlefish represents the latest adaptation in networking equipment-based malware, as it combines multiple attributes. It has the ability to perform route manipulation, hijack connections, and employs passive sniffing capability. With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem. We assess that while this most recent malware iteration went undetected for nine months and replaced a prior version called “.putin,” it had the potential for long-term persistent access.

A More than Impressive Feature Set

A question to ask is how the packet sniffer detects credentials, or credential-related packets, of interest to the threat actor. The threat actors created an extended Berkeley Packet Filter (eBPF) for eavesdropping and hijacking IP ranges to do this.

eBPF is a technology that makes it possible to run particular programs deep inside the Linux operating system but in an isolated way. Using this approach, teams can collect crucial observability data from Linux applications and network resources more easily and efficiently as the technology first filters the packets.

Threat actors have been using the technology to break the packet filtering process into two parts. First, outbound network parameter combinations in dictionary data types are scanned for certain credential "markers."

These credential markers contain a list of predefined strings, some of which appeared to be generic, like "username," "password," or "access_token," while others were much more targeted, like "aws_secret_key" and "cloudflare_auth_key." Any traffic matching the network filters and markers is logged and sent to the threat actor's command and control server.

Security researchers further warned of the weaponizing of VPN technology, saying,

We assess the threat actor was connecting through the compromised router with a Virtual Private Network (VPN) protocol such as n2n, or a proxy service like socks_proxy. This would allow them to weaponize the stolen authentication material, and retrieve data associated with the targeted entities. By implementing the VPN connection through the compromised router, the actor is attempting to avert suspicion from abnormal login-based alerts, as the IP address of said router (now used as a proxy), is associated with the targeted organization.

Researchers concluded that Cuttlefish represents the latest evolution in passive eavesdropping malware that can target hardware like routers.

Further, threat actors are believed to target cloud services as it allows them to access many of the same materials hosted internally without having to contend with security controls like EDR or network segmentation.

The worrying fact about this evolution is that it allows the threat actor to effectively bypass more secure network protocols, like TLS, adopted by many organizations.

Researchers also believe that Cuttlefish may be the first malware to have coded rules specifically designed to seek out private IP connections to hijack, along with DNS and HTTP hijacking.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal