Eight Arms to Hold You: The Cuttlefish Malware

May 2, 2024, 2:17 p.m.

Tags
infostealer
bash
hiatusrat
hijacking
cuttlefish
External References
Description

The Black Lotus Labs team at Lumen Technologies is tracking a malware platform named Cuttlefish, targeting enterprise-grade small office/home office (SOHO) routers. This modular malware primarily steals authentication material from web requests transiting the router. It can also perform DNS and HTTP hijacking for connections to private IP spaces on internal networks. Cuttlefish overlaps with a previously reported activity cluster called HiatusRat, potentially linked to the interests of the People's Republic of China. While there is code overlap, shared victimology has not been observed between these two malware families.

Date

Published: May 2, 2024, 1:50 p.m.

Created: May 2, 2024, 1:50 p.m.

Modified: May 2, 2024, 2:17 p.m.

Indicators

e48c250c47dd071dcee984a8e9f27b170004ff81c3f0da6a50364fdecf800fd3

eb7a7ab952080f66c82fe8350da131ce0d7766f203bd4d97b0798b4f59283a27

cfd134523be5498a192b212202746300d68da44965f465225b7e6a2fe1d9d296

b7915c43908a85e0430fa98cb0a08b24cfd3812662be1affa4ed9e135a31fb1e

a7de324a92f54ac30035e27a80a97329d30e21315f948cea636298b011998e90

9b736c8555bdbb27498edcf5b074ed33b792e99436a2bb5691beb96d1d141365

99d5cf32f8198e99c530be4f5e05487e280bacdb8ef26aaf38dc20e301aad75f

94812d391160e4fce821701b944cfd8f5fd9454b3cbb8e8974d1dc259310e500

7e1d0ba01333479be1ddeb56de94e15204776245431480f59cd98f45ba956530

73cf20675639c18c04381b5efd7d628736d149734280988f55358e301c1d9bb8

70693211cd0b14a7463b39b2fa801ce1fdefc85c7f3e003772d1b4deeb78efde

6295d5cb21c441066d2da81a76440bcac9bd5a7830fc9faea9668bd0b2015046

44b769be0c2a807082a9bfd2f33fdc744552c5c7ca88a812ef4bd0393a50f132

4aa23fbdc27d317c6e54481b6d884b962adf6e691a4731c859ddaf9af09822c6

3d9ee05c0841ad65547c0cc8516d092cff48dad5e7bbf97c99ddd44ee94a24bc

37537ac2c4c60a67e92d5badae04f7f9115e97a67199b6f2c0010620c3eb0594

2f0911fb892d448910c36a37c9fbdec8c73ccfecc274854b1fa053fb1cc2369b

2ed174523bd80a93b7d09940d375f9c0d71e1ce8ecffb2320e02a78f4b601408

263074f7312146f3275af64adbc5d02a618ed193ac84951c529ce8c367fb76e6

23c2e7ff2602e5f76b3f2c354761ef39966facb3b12ed05551816f482d4d5608

172212750bb3f4708a728d1d48ade3d6dd503d2892d4cc72d1719c06d5a1f4a8

1168e97ccf61600536e93e9c371ee7671bae4198d4bf566550328b241ec52e89

10a4edbbb852a1b01fc6fbf0aa1407bc8589432bddb2001ae62702f18d919e89

0dfde136c06636f2055153af4ad5f9bc2ed0ed2c055dde1fdbe82f866d0ebbac

0a08579e3416dc3cdd80c215b8fb94d86a0bb42c8c733530850417cffd6bde38

07df37d8168e911b189bbe0912b4842fa1fe48d5264e99738ad3247f9c818478

f226bf37af9c33162063db3eb018fed7f088f86d0a20ca54c013fda96c7f2e05

82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7

36.75.75.75

138.112.25.25

123.181.24.36

1.13.16.45

209.141.49.178

205.185.122.121

198.98.56.93

107.189.28.251

71.162.181.51

Download all indicators here!

Attack Patterns

Cuttlefish

HiatusRat

T1504

T1600

T1591

T1583

T1567

T1552

T1555

T1598

T1057

T1041

Additional Informations

United States of America