Cuttlefish Malware Targets Routers, Monitoring Traffic for Credentials

Malware Attack

A newly discovered malware dubbed "Cuttlefish" is causing concern among cybersecurity experts, as it targets both enterprise-grade and small office/home office (SOHO) routers to clandestinely monitor and steal authentication information from passing data.

Research conducted by Lumen Technologies' Black Lotus Labs reveals that Cuttlefish operates by creating a proxy or VPN tunnel on infected routers, allowing it to discreetly exfiltrate data while evading detection from conventional security measures. Additionally, the malware possesses the capability to perform DNS and HTTP hijacking within private IP spaces, potentially disrupting internal communications and introducing further malicious payloads.

Despite sharing some code similarities with the previously identified HiatusRat, which has been associated with campaigns aligned with Chinese state interests, there is no concrete evidence linking the two, making attribution difficult.

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily concentrating its campaign efforts in Turkey, with sporadic infections reported in other regions affecting satellite phone and data center services.

The initial method of infecting routers remains under investigation but likely involves exploiting known vulnerabilities or brute-forcing credentials. Once access is gained, a bash script ("") is deployed to collect host-based data, followed by the execution of the primary Cuttlefish payload (".timezone"). Notably, the payload is loaded into memory to avoid detection, with the downloaded file subsequently erased from the file system.

Cuttlefish is available in various builds supporting a range of router architectures, including ARM, i386, i386_i686, i386_x64, mips32, and mips64, ensuring broad compatibility across different devices.

Upon execution, Cuttlefish employs a packet filter to monitor all connections passing through the compromised router. It actively scans for "credential markers" within the traffic, such as usernames, passwords, and tokens, particularly targeting public cloud-based services like Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket. Captured credentials are logged locally and then exfiltrated to the attacker's command and control (C2) server via a peer-to-peer VPN or proxy tunnel.

To further evade detection, Cuttlefish redirects DNS requests for private IP addresses to a specified server and manipulates HTTP requests to redirect traffic to actor-controlled infrastructure. This capability enables the malware to intercept internal ("east-west") traffic or site-to-site VPN connections, granting unauthorized access to secured resources.

In light of this threat, Black Lotus Labs recommends several mitigation strategies for organizations and SOHO router users. These include eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL, inspecting devices for anomalies, and regularly rebooting routers. Additionally, SOHO router users are advised to apply firmware updates, change default passwords, restrict remote access, and replace devices reaching end-of-life (EoL) status.

Cuttlefish poses a significant risk to organizations worldwide, bypassing traditional security measures and residing undetected in cloud environments. Vigilance and proactive security measures are essential to mitigate the threat posed by this sophisticated malware.