Eight Arms to Hold You: The Cuttlefish Malware

May 2, 2024, 2:17 p.m.

Description

The Black Lotus Labs team at Lumen Technologies is tracking a malware platform named Cuttlefish, targeting enterprise-grade small office/home office (SOHO) routers. This modular malware primarily steals authentication material from web requests transiting the router. It can also perform DNS and HTTP hijacking for connections to private IP spaces on internal networks. Cuttlefish overlaps with a previously reported activity cluster called HiatusRat, potentially linked to the interests of the People's Republic of China. While there is code overlap, shared victimology has not been observed between these two malware families.

External References

https://github.com/blacklotuslabs/IOCs/blob/main/Cuttlefish_IOCs.txt
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
https://otx.alienvault.com/pulse/66339a3fb48f836792b3116a
Tags
infostealer
bash
hiatusrat
hijacking
cuttlefish

Date

  • Created: May 2, 2024, 1:50 p.m.
  • Published: May 2, 2024, 1:50 p.m.
  • Modified: May 2, 2024, 2:17 p.m.

Indicators

  • e48c250c47dd071dcee984a8e9f27b170004ff81c3f0da6a50364fdecf800fd3
  • eb7a7ab952080f66c82fe8350da131ce0d7766f203bd4d97b0798b4f59283a27
  • cfd134523be5498a192b212202746300d68da44965f465225b7e6a2fe1d9d296
  • b7915c43908a85e0430fa98cb0a08b24cfd3812662be1affa4ed9e135a31fb1e
  • a7de324a92f54ac30035e27a80a97329d30e21315f948cea636298b011998e90
  • 9b736c8555bdbb27498edcf5b074ed33b792e99436a2bb5691beb96d1d141365
  • 99d5cf32f8198e99c530be4f5e05487e280bacdb8ef26aaf38dc20e301aad75f
  • 94812d391160e4fce821701b944cfd8f5fd9454b3cbb8e8974d1dc259310e500
  • 7e1d0ba01333479be1ddeb56de94e15204776245431480f59cd98f45ba956530
  • 73cf20675639c18c04381b5efd7d628736d149734280988f55358e301c1d9bb8
  • 70693211cd0b14a7463b39b2fa801ce1fdefc85c7f3e003772d1b4deeb78efde
  • 6295d5cb21c441066d2da81a76440bcac9bd5a7830fc9faea9668bd0b2015046
  • 44b769be0c2a807082a9bfd2f33fdc744552c5c7ca88a812ef4bd0393a50f132
  • 4aa23fbdc27d317c6e54481b6d884b962adf6e691a4731c859ddaf9af09822c6
  • 3d9ee05c0841ad65547c0cc8516d092cff48dad5e7bbf97c99ddd44ee94a24bc
  • 37537ac2c4c60a67e92d5badae04f7f9115e97a67199b6f2c0010620c3eb0594
  • 2f0911fb892d448910c36a37c9fbdec8c73ccfecc274854b1fa053fb1cc2369b
  • 2ed174523bd80a93b7d09940d375f9c0d71e1ce8ecffb2320e02a78f4b601408
  • 263074f7312146f3275af64adbc5d02a618ed193ac84951c529ce8c367fb76e6
  • 23c2e7ff2602e5f76b3f2c354761ef39966facb3b12ed05551816f482d4d5608
  • 172212750bb3f4708a728d1d48ade3d6dd503d2892d4cc72d1719c06d5a1f4a8
  • 1168e97ccf61600536e93e9c371ee7671bae4198d4bf566550328b241ec52e89
  • 10a4edbbb852a1b01fc6fbf0aa1407bc8589432bddb2001ae62702f18d919e89
  • 0dfde136c06636f2055153af4ad5f9bc2ed0ed2c055dde1fdbe82f866d0ebbac
  • 0a08579e3416dc3cdd80c215b8fb94d86a0bb42c8c733530850417cffd6bde38
  • 07df37d8168e911b189bbe0912b4842fa1fe48d5264e99738ad3247f9c818478
  • f226bf37af9c33162063db3eb018fed7f088f86d0a20ca54c013fda96c7f2e05
  • 82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7
  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 1.13.16.45
  • 209.141.49.178
  • 205.185.122.121
  • 198.98.56.93
  • 107.189.28.251
  • 71.162.181.51
  • pp.kkthreas.com
  • kkthreas.com
  • fadsdsdasaf2233.com
Download all indicators here!

Attack Patterns

  • Cuttlefish
  • HiatusRat

Additional Informations

  • United States of America