Related Families: HiatusRat
Targeted Verticals: Telecommunications, Various
Executive Summary
Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers.
Key Takeaways
- Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers.
- Cuttlefish has been active in the wild since at least July 2023, and the most recent known Cuttlefish campaign occurred from October 2023 to April 2024.
- Cuttlefish allows threat actors to monitor traffic and steal authentication from web requests sent through the router from the LAN using a zero-click approach.
- Cuttlefish also has the ability to hijack both DNS and HTTP for connections to private IP space.
What is Cuttlefish?
Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers. The activity associated with Cuttlefish began as early as July 2023. A majority of the infections affected entities in Turkey, with telecommunications being the only specified vertical affected. The most recent known Cuttlefish campaign occurred from October 2023 to April 2024. Lumen recently reported on Cuttlefish.
Cuttlefish has both a sniffer function and a hijack function. Cuttlefish allows threat actors to monitor traffic and steal authentication from web requests sent through the router from the LAN using a zero-click approach. According to Lumen, what makes Cuttlefish so insidious is that it also has the ability to hijack both DNS and HTTP for connections to private IP space. It can interact with other LAN-based devices to move data or introduce new agents.
While the initial access vector is unknown, once threat actors gain a foothold in the victim network, they deploy a bash script to gather host data and exfiltrate this data to the C2. The script then downloads and executes the appropriate Cuttlefish payload, based on the router’s architecture.
Cuttlefish passively sniffs network packets and uses an extended Berkeley Packet Filter to look for authentication data associated with cloud based services, including Alicloud, Amazon Web Services (AWS), Digital Ocean, CloudFlare, and Bitbucket. Cuttlefish acts as a proxy and a VPN to transmit any captured data through the victim router, allowing threat actors to use the stolen credentials.
Lumen noted an apparent code overlap between Cuttlefish and HiatusRat. HiatusRat is a malware that targets routers and is used for espionage activities. Researchers have linked HiatusRat to unnamed China nexus threat actors. While Cuttlefish and HiatusRat do not seem to share victimology, they do appear to be concurrently active.
IOCs
PolySwarm has multiple samples of Cuttlefish.
10a4edbbb852a1b01fc6fbf0aa1407bc8589432bddb2001ae62702f18d919e89
1168e97ccf61600536e93e9c371ee7671bae4198d4bf566550328b241ec52e89
23c2e7ff2602e5f76b3f2c354761ef39966facb3b12ed05551816f482d4d5608
2ed174523bd80a93b7d09940d375f9c0d71e1ce8ecffb2320e02a78f4b601408
3d9ee05c0841ad65547c0cc8516d092cff48dad5e7bbf97c99ddd44ee94a24bc
6295d5cb21c441066d2da81a76440bcac9bd5a7830fc9faea9668bd0b2015046
99d5cf32f8198e99c530be4f5e05487e280bacdb8ef26aaf38dc20e301aad75f
eb7a7ab952080f66c82fe8350da131ce0d7766f203bd4d97b0798b4f59283a27
You can use the following CLI command to search for all Cuttlefish samples in our portal:
$ polyswarm link list -f Cuttlefish
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
