New Cuttlefish malware infects routers to monitor traffic for credentials

A new malware named ‘Cuttlefish’ has been spotted infecting enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information.

Lumen Technologies’ Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins.

The malware can also perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications and possibly introducing more payloads.

Although Cuttlefish has some code that overlaps with HiatusRat, which has been previously observed in campaigns that aligned with Chinese state interests, there are no concrete links between the two, and attribution was impossible.

Black Lotus Labs says the malware has been active since at least July 2023. It is currently running an active campaign concentrated in Turkey, with a few infections elsewhere impacting satellite phone and data center services. New Cuttlefish malware infects routers to monitor traffic for credentials (bleepingcomputer.com)