Cuttlefish Malware

A new malware known as Cuttlefish focuses on small office and home office (SOHO) routers, aiming to discreetly monitor all traffic passing through these devices and collect authentication data from HTTP GET and POST requests.

This particular malware is built in a modular fashion, primarily targeting the theft of authentication information from Web requests passing through the router on the Local Area Network (LAN). Additionally, it possesses the capability to perform DNS and HTTP hijacking for connections within private IP space, typically associated with internal network communications.

There are indications from the source code that suggest similarities with a previously identified activity cluster known as HiatusRAT, though no instances of shared victimology have been observed thus far. It appears that these two operations are concurrently active.

Infection Vector for Compromising Devices with the Cuttlefish Malware

Cuttlefish has been active since at least July 27, 2023, with its latest campaign spanning from October 2023 to April 2024. During this period, it primarily targeted 600 unique IP addresses linked to two Turkish telecom providers.

The specific method used for initial access to compromise networking equipment remains unclear. However, once a foothold is established, a bash script is deployed to collect host data, including/etc., contents, running processes, active connections, and mounts. This information is then sent to a domain controlled by the threat actor ('kkthreas.com/upload'). It subsequently downloads and executes the Cuttlefish payload from a dedicated server based on the specific router architecture (e.g., Arm, mips32, and mips64, i386, i386_i686, i386_x64, etc).

The Cuttlefish Malware may Compromise Crucial Victims' Credentials

A stand-out feature of this malware is its passive sniffing capability designed specifically to target authentication data from public cloud services like Alicloud, Amazon Web Services (AWS), Digital Ocean, CloudFlare, and BitBucket, achieved through an extended Berkeley Packet Filter (eBPF).

The malware operates based on a ruleset that directs it to either hijack traffic bound for a private IP address or activate a sniffer function for traffic heading to a public IP, enabling the theft of credentials under specific conditions. The hijack rules are retrieved and updated from a Command-and-Control (C2) server established for this purpose, with a secure connection using an embedded RSA certificate.

Moreover, the malware can act as a proxy or VPN, allowing captured data to be transmitted through the compromised router and facilitating threat actors in using collected credentials to access targeted resources.

Researchers describe Cuttlefish as an advanced form of passive eavesdropping malware for edge networking equipment, combining various capabilities such as route manipulation, connection hijacking and passive sniffing. With the misappropriated authentication material, threat actors not only gain access to cloud resources associated with the target, but also establish a foothold within that cloud ecosystem.