Dissecting Cuttlefish Malware (Attack Anatomy)

The Cuttlefish Malware is a recent zero-click malware variant identified and analyzed by Lumen Technologies’ Black Lotus Labs, who publicly reported it in May 2024. However, the malware has been active since at least July 2023, and likely earlier. It also has significant similarities to HiatusRAT, which has been active since at least July 2022.

In this article, we’ll explore some of the key capabilities of this malware through the lens of the MITRE ATT&CK framework. 

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It helps teams understand and defend against cyber threats, breaking down attacks into:

1. Tactics: The goals or high-level objectives that attackers want to achieve at different stages of an attack. Examples include Reconnaissance, Execution, and Defense Evasion. 

2. Techniques: Describe the "how" behind a tactic. For example, the Reconnaissance Tactic has concrete steps with techniques like Active Scanning, Vulnerability Scanning, Gather Victim Identity Information, etc.

We’ll map HiatusRAT’s capabilities to MITRE techniques. For each technique used, we’ll also point you to a relevant HTB resource that you can use to explore and try the techniques for yourself.

How Cuttlefish works

Cuttlefish is a malware variant that targets small office/home office (SOHO) routers. Once installed, it uses its access to steal credentials, redirect traffic, and act as a proxy for other attacks.

Initial infection

At the time of publishing this blog post, the initial infection vector used by Cuttlefish is currently unknown. However, the end result is a bash script that executes on the infected router.

Initially, the bash script collects certain information about the infected device (MITRE ATT&CK Technique T0183), including:

• Directory listing

• Contents of /etc

• List of running processes

• List of active connections

• Contents of /etc/config

This information is uploaded to an attacker-controlled domain, and then deleted from the disk. Then, the malware downloads and executes Cuttlefish (MITRE ATT&CK T1059.004).

Cuttlefish startup

The Cuttlefish binary implements some mechanisms to evade detection. One of these is that the file is named .timezone, which a basic ls command will not find due to the leading period, and can look legitimate to a user. Additionally, the file gets deleted from the filesystem once it has been executed, and persists as resident in memory (MITRE ATT&CK T1070.004).

After installation, Cuttlefish binds itself to port 61235. Because this is a high-numbered port, it is unlikely to be used by any other service (MITRE ATT&CK T1571). The malware also uses this as a mutex, only executing if the port is not in use.

This malware is designed to take advantage of its presence on routers to monitor and hijack network connections (MITRE ATT&CK T1557). It uses libpcap to define a filter for traffic of interest. Cuttlefish also downloads a configuration file from a command and control server to identify this traffic, but it generally falls into two categories:

1. Traffic to private IP addresses

2. Traffic to public IP addresses, such as cloud services

Hijacking traffic to private IPs

The malware contains a list of private IP addresses of interest, such as anything in the 192.168.0.0/16 range. Cuttlefish will monitor for UDP connections to port 53 (DNS) and TCP connections to various ports, including port 80 (HTTP).

By default, DNS is an unencrypted and unauthenticated protocol. If the Cuttlefish malware identifies DNS traffic, it can perform a man-in-the-middle (MitM) attack by sending its own response to the request and dropping the legitimate one. DNS requests were sent to fadsdsdasaf2233[.]com and had an IP address of “2.2.2[.]2.”

The malware also looked for HTTP GET and POST requests, which it redirects using the error code 302, to indicate that the requested resource was temporarily relocated. Cuttlefish sent all of these requests to an address included in the malware’s configuration file. One example of the malware used the address 114.114.114[.]114, which is located in China.

 

Collecting credentials from public traffic

In addition to redirecting traffic to private IPs, Cuttlefish also attempts to sniff login credentials from traffic to public IPs (MITRE ATT&CK T1040). A full list of the ports monitored is available from the Black Lotus Labs GitHub. 

When sniffing this traffic, the malware looks for keywords associated with sensitive information, such as:

• username=

• password

• amazon_secret_access_key=

• authorizationToken=

• aws_token=

• dbpassword=

The malware has a list of hundreds of these keywords to search for within HTTP queries, headers, and other plaintext data. It exfiltrates any hits to the attacker’s command and control (C2) server for later use.

While the malware monitored ports associated with encrypted traffic, such as 443/HTTPS, it lacked the ability to degrade TLS connections via a downgrade attack. Since most web traffic is now HTTPS, this limits the effectiveness of the attack.

VPN and proxy capabilities

In addition to monitoring network traffic, Cuttlefish also uses the open-source n2n project to establish a VPN connection between their systems and the infected router. Alternatively, it could use the infected router as a proxy.

This connection has a couple of potential applications for the attackers. One is that any sign-in attempts using compromised credentials could be proxied through the router to avoid raising red flags for sign-in attempts from an unusual IP address (MITRE ATT&CK T1090.001).

This access also provides the attacker with access to a private IP address on the compromised network, which can be used to bypass firewalls and other access controls.

Cuttlefish in MITRE and HTB

The MITRE ATT&CK framework and HTB provide complementary capabilities for developing individuals’ or teams’ understandings of the cyber threats that they face. 

MITRE ATT&CK is a goldmine of information about how a particular technique works and methods for detecting and defending against it. HTB provides hands-on experience with various techniques, providing analysts with the understanding required to develop defenses and identify these threats in their networks.

The Cuttlefish malware uses various techniques to evade detection and achieve its goals. The following table identifies some of the key MITRE ATT&CK Techniques that the malware uses to evade and attack, as well as HTB resources that contain related content.

HTB and MITRE ATT&CK mapped skills development 

Aside from understanding emerging threats, security teams need to develop threat models, develop detection strategies for specific environments, and prioritize security investments. For this reason, HTB carefully maps courses and labs to the MITRE ATT&CK framework.

Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.

This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material.