The Cuttlefish malware, identified by the Black Lotus Labs team, specifically targets small office and home office (SOHO) routers to eavesdrop on network traffic and extract authentication data from HTTP GET and POST requests. It demonstrates modularity by also enabling DNS and HTTP hijacking for connections to private IP addresses, aside from passive sniffing capabilities. This malware, active since July 27, 2023, has been used in campaigns predominantly targeting two Turkish telecom providers, infecting around 600 unique IP addresses
The malware, once installed on compromised routers, deploys a bash script to extract host data and then downloads and executes the Cuttlefish payload from a dedicated server. Noteworthy is its focus on sniffing network packets to steal credentials associated with public cloud services like Alicloud, AWS, and CloudFlare, facilitated by creating an extended Berkeley Packet Filter (eBPF). Cuttlefish also acts as a proxy and VPN to transmit data, granting threat actors access to targeted resources through stolen credentials. https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html