Red Teaming

7 min read

Dissecting Cuttlefish Malware (Attack Anatomy)

We explore the key capabilities of this Cuttlefish Malware through the lens of the MITRE ATT&CK framework.

Howard Poston IamRoot, Jun 27,
2024

The Cuttlefish Malware is a recent zero-click malware variant identified and analyzed by Lumen Technologies’ Black Lotus Labs, who publicly reported it in May 2024. However, the malware has been active since at least July 2023, and likely earlier. It also has significant similarities to HiatusRAT, which has been active since at least July 2022.

In this article, we’ll explore some of the key capabilities of this malware through the lens of the MITRE ATT&CK framework. 

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It helps teams understand and defend against cyber threats, breaking down attacks into:

  1. Tactics: The goals or high-level objectives that attackers want to achieve at different stages of an attack. Examples include Reconnaissance, Execution, and Defense Evasion. 

  2. Techniques: Describe the "how" behind a tactic. For example, the Reconnaissance Tactic has concrete steps with techniques like Active Scanning, Vulnerability Scanning, Gather Victim Identity Information, etc.

We’ll map HiatusRAT’s capabilities to MITRE techniques. For each technique used, we’ll also point you to a relevant HTB resource that you can use to explore and try the techniques for yourself.

Cuttlefish malware analysis (mitre attack)

How Cuttlefish works

Cuttlefish is a malware variant that targets small office/home office (SOHO) routers. Once installed, it uses its access to steal credentials, redirect traffic, and act as a proxy for other attacks.

Initial infection

At the time of publishing this blog post, the initial infection vector used by Cuttlefish is currently unknown. However, the end result is a bash script that executes on the infected router.

Initially, the bash script collects certain information about the infected device (MITRE ATT&CK Technique T0183), including:

  • Directory listing

  • Contents of /etc

  • List of running processes

  • List of active connections

  • Contents of /etc/config

This information is uploaded to an attacker-controlled domain, and then deleted from the disk. Then, the malware downloads and executes Cuttlefish (MITRE ATT&CK T1059.004).

Cuttlefish startup

The Cuttlefish binary implements some mechanisms to evade detection. One of these is that the file is named .timezone, which a basic ls command will not find due to the leading period, and can look legitimate to a user. Additionally, the file gets deleted from the filesystem once it has been executed, and persists as resident in memory (MITRE ATT&CK T1070.004).

After installation, Cuttlefish binds itself to port 61235. Because this is a high-numbered port, it is unlikely to be used by any other service (MITRE ATT&CK T1571). The malware also uses this as a mutex, only executing if the port is not in use.

This malware is designed to take advantage of its presence on routers to monitor and hijack network connections (MITRE ATT&CK T1557). It uses libpcap to define a filter for traffic of interest. Cuttlefish also downloads a configuration file from a command and control server to identify this traffic, but it generally falls into two categories:

  1. Traffic to private IP addresses

  2. Traffic to public IP addresses, such as cloud services

Hijacking traffic to private IPs

The malware contains a list of private IP addresses of interest, such as anything in the 192.168.0.0/16 range. Cuttlefish will monitor for UDP connections to port 53 (DNS) and TCP connections to various ports, including port 80 (HTTP).

By default, DNS is an unencrypted and unauthenticated protocol. If the Cuttlefish malware identifies DNS traffic, it can perform a man-in-the-middle (MitM) attack by sending its own response to the request and dropping the legitimate one. DNS requests were sent to fadsdsdasaf2233[.]com and had an IP address of “2.2.2[.]2.”

The malware also looked for HTTP GET and POST requests, which it redirects using the error code 302, to indicate that the requested resource was temporarily relocated. Cuttlefish sent all of these requests to an address included in the malware’s configuration file. One example of the malware used the address 114.114.114[.]114, which is located in China.

Practice forensics & malware analysis with Sherlocks

Step into the role of a DFIR specialist and trace the steps of an external contractor who breached Forela's internal forum.

This free DFIR lab tests your ability to work with forum logs and an SQLite3 database dump. You’ll unravel how the perpetrator exploited the Guest WiFi to steal administrative credentials.

Skills you’ll learn:

  • Database forensics: Examine SQLite databases to identify unauthorized modifications, user activities, and extraction of sensitive information.

  • JavaScript malware analysis: Get familiar with the behavior of malicious JavaScript code embedded in web pages to steal credentials.

  • Lightweight Directory Access Protocol (LDAP) integration security: Boost your knowledge of securing LDAP integrations within applications to prevent credential compromise and unauthorized access.

 

Collecting credentials from public traffic

In addition to redirecting traffic to private IPs, Cuttlefish also attempts to sniff login credentials from traffic to public IPs (MITRE ATT&CK T1040). A full list of the ports monitored is available from the Black Lotus Labs GitHub

When sniffing this traffic, the malware looks for keywords associated with sensitive information, such as:

  • username=

  • password

  • amazon_secret_access_key=

  • authorizationToken=

  • aws_token=

  • dbpassword=

The malware has a list of hundreds of these keywords to search for within HTTP queries, headers, and other plaintext data. It exfiltrates any hits to the attacker’s command and control (C2) server for later use.

While the malware monitored ports associated with encrypted traffic, such as 443/HTTPS, it lacked the ability to degrade TLS connections via a downgrade attack. Since most web traffic is now HTTPS, this limits the effectiveness of the attack.

VPN and proxy capabilities

In addition to monitoring network traffic, Cuttlefish also uses the open-source n2n project to establish a VPN connection between their systems and the infected router. Alternatively, it could use the infected router as a proxy.

This connection has a couple of potential applications for the attackers. One is that any sign-in attempts using compromised credentials could be proxied through the router to avoid raising red flags for sign-in attempts from an unusual IP address (MITRE ATT&CK T1090.001).

This access also provides the attacker with access to a private IP address on the compromised network, which can be used to bypass firewalls and other access controls.

Cuttlefish in MITRE and HTB

The MITRE ATT&CK framework and HTB provide complementary capabilities for developing individuals’ or teams’ understandings of the cyber threats that they face. 

MITRE ATT&CK is a goldmine of information about how a particular technique works and methods for detecting and defending against it. HTB provides hands-on experience with various techniques, providing analysts with the understanding required to develop defenses and identify these threats in their networks.

The Cuttlefish malware uses various techniques to evade detection and achieve its goals. The following table identifies some of the key MITRE ATT&CK Techniques that the malware uses to evade and attack, as well as HTB resources that contain related content.

HiatusRAT Capability

MITRE ATT&CK Technique

HTB Resources

Collecting and exfiltrating data about infected machine

T1083 File and Directory Discovery

Footprinting

Linux Privilege Escalation

T0157 Process Discovery

Bash file downloads and runs Cuttlefish

T1059.004 Command and Scripting Interpreter: Unix Shell

Shells and Payloads

Deletion of .timezone from disk after execution

T1070.004 Indicator Removal: File Deletion

Introduction to Digital Forensics



Use of mutex to ensure uniqueness

T 1571 Non-Standard Port

Understanding Log Sources & Investigating with Splunk



Hijacking DNS lookups

T 1557 Adversary in the Middle

Intro to Network Traffic Analysis

Redirecting HTTP requests

Sniffing credentials from network traffic

T1040 Network Sniffing

Using compromised router as VPN/proxy

T1090.001 Proxy: Internal Proxy

Pivoting, Tunneling, and Port Forwarding

Easi maps MITRE ATT&CK to client engagements

Easi, a European IT services partner with over 400 employees, successfully implemented a skills development program that directly applies to engagements with clients.

The mapping of HTB Professional Labs to the MITRE ATT&CK matrix aligned training sessions to real-world scenarios and correlated skills development to improved client engagements.

HTB and MITRE ATT&CK mapped skills development 

Aside from understanding emerging threats, security teams need to develop threat models, develop detection strategies for specific environments, and prioritize security investments. For this reason, HTB carefully maps courses and labs to the MITRE ATT&CK framework.

Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.

This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material. 

 
Hack The Blog

The latest news and updates, direct from Hack The Box