The Black Lotus Labs team at Lumen Technologies has uncovered a sophisticated malware platform dubbed “Cuttlefish,” which targets networking equipment, particularly enterprise-grade small office/home office (SOHO) routers. The malware has been active since at least July 2023, with its latest wave spanning from October 2023 to April 2024.

Cuttlefish operates as a modular malware designed with a primary focus on stealing credentials from web requests passing through targeted routers within a local area network (LAN). Additionally, it has capabilities for DNS and HTTP hijacking.

Cuttlefish implements the functionality that allows it to execute HTTP and DNS hijacking for connections to private IP addresses, enabling threat actors to capture data from users and devices behind the compromised network's edge. Once authentication material is obtained, the threat actor establishes either a proxy or VPN tunnel back through the compromised router, utilizing stolen credentials to access targeted resources. This method potentially allows the threat actor to evade detection by leveraging hacked routers as a means for data exfiltration.

The analysis indicates a link between Cuttlefish and a previously identified malware cluster known as HiatusRat, associated with cyber activities aligned with the interests of the People's Republic of China. While code similarities suggest a connection between the two, there is no evidence of shared victimology between Cuttlefish and HiatusRat, indicating distinct but concurrent operations.

The researchers said that the majority of victims targeted by Cuttlefish were observed in Turkey, with 99% of infections traced back to two telecommunications providers. These providers accounted for approximately 93% of infections, affecting 600 unique IP addresses. A handful of non-Turkish victims, including global satellite phone providers and a US-based data center, were also identified.

Currently, the initial access vector for Cuttlefish remains unknown.

Once infiltrated, the threat actor deploys a bash script to gather host-based data and initiate the execution of the Cuttlefish malware across various architectures used by SOHO operating systems. Cuttlefish implements a multi-step process, including the installation of a packet filter to inspect outbound connections and the use of specific ports, protocols, and destination IP addresses.

“We assess that Cuttlefish represents the latest adaptation in networking equipment-based malware, as it combines multiple attributes. It has the ability to perform route manipulation, hijack connections, and employs passive sniffing capability. With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem,” the researchers said.