The ruleset directs the malware to hijack traffic destined to a private IP address, and if heading to a public IP it will initiate a sniffer function to steal credentials if certain parameters are met. Regardless of which path, following a successful intercept the threat actor creates either a VPN or proxy tunnel back into the compromised router, to presumably weaponize the stolen tokens and retrieve data hosted on cloud resources.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://blog.centurylink.com/eight-arms-to-hold-you-the-cuttlefish-malware/
Sample Indicators of Compromise:
http://209.141.49.178/dajfdsfadsfa/{architecture}https://kkthreas.com/upload198.98.56.93https://205.185.122.121:443/upload?uuid=%s&filename=%s&tid={hexpp.kkthreas.com
