Cuttlefish Malware Targets Routers to Steal Credentials

A newly identified malware named ‘Cuttlefish’ has been detected infecting both enterprise-grade and small office/home office (SOHO) routers to monitor traffic and steal authentication information. Cuttlefish creates a proxy or VPN tunnel on compromised routers, allowing data exfiltration without triggering security alerts.

This malware can also perform DNS and HTTP hijacking within private IP spaces, disrupting internal communications and potentially introducing additional malicious payloads. Despite some code similarities with HiatusRat, previously linked to Chinese state interests, there is no concrete evidence connecting the two, making attribution challenging.

Cuttlefish has been active since at least July 2023, with a significant campaign in Turkey and additional infections affecting satellite phone and data center services globally. The initial infection method remains unclear but may involve exploiting known vulnerabilities or brute-forcing router credentials.

Once a router is compromised, a bash script (“s.sh”) collects host-based data, including directory listings, running processes, and active connections. The script then downloads and executes the primary Cuttlefish payload (“.timezone”), which loads into memory to evade detection and deletes the downloaded file from the system.

Cuttlefish is available in various builds supporting ARM, i386, i386_i686, i386_x64, mips32, and mips64 architectures, covering most router types. Upon execution, it uses a packet filter to monitor all device connections, performing specific actions based on rulesets updated from the attacker’s command and control (C2) server.

The malware passively sniffs packets for “credential markers” such as usernames, passwords, and tokens, particularly those related to cloud services like Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket. Captured credentials are locally logged and exfiltrated to the C2 once a certain data size is reached, using a peer-to-peer VPN (n2n) or proxy tunnel (socks_proxy).

Additionally, for traffic destined to private IP addresses, DNS requests are redirected to a specified DNS server, and HTTP requests are manipulated to reroute traffic to attacker-controlled infrastructure using HTTP 302 error codes. This capability potentially hijacks internal (east-west) traffic through the router or site-to-site traffic where VPN connections between routers are established, accessing secured resources not available via the public internet.

Preventing Cuttlefish malware infections involves securing your router by regularly updating its firmware to patch known vulnerabilities and changing default login credentials to strong, unique passwords. Implementing network segmentation can limit the malware’s ability to spread, and employing intrusion detection and prevention systems (IDPS) can identify and block suspicious activities.