Search by:
28 May 2018
Cisco Talos researchers have detected new malware, which has been dubbed VPNFilter. To date, the malware has infected at least 500,000 routers and network-attached storage (NAS) devices in 54 countries of the world. The list of infected devices includes:
The VPNFilter malware has a sophisticated modular architecture with components that implement various functions at three main stages of its operation:
After infecting a device, the malware can download further malicious programs usinf several different methods.
First, the malware attempts to access a gallery on Photobucket.com, downloading the first image on the page and extracting the download server’s IP address from six integer values for GPS latitude and longitude in the EXIF information. As Kaspersky Lab experts found out, the Photobucket.com galleries used by VPNFilter have been deleted, so the malware can no longer use this mechanism.
The second method is to extract an image file from the hardcoded domain toknowall[.]com. The domain has now been seized by the FBI.
And finally, if these attempts are unsuccessful, the malware goes into passive backdoor mode, in which it monitors network traffic on the infected device, listening for the attackers’ commands.
VPNFilter workflow (source: Cisco Talos)
This means that the information security community should keep close tabs on VPNFilter, because the malware can be used to steal account credentials, detect industrial SCADA equipment and conduct various attacks involving infected devices united into a botnet, to the point of depriving hundreds of thousands of users across the globe of internet access. In addition, It contains a destructive payload which is capable of rendering infected devices unbootable.
According to experts, the malware uses a broken (or incorrect) RC4 implementation which has been observed before with the BlackEnergy malware. However, the malware cannot be conclusively attributed to that APT group based on this indicator alone, even though Black Energy is known to have deployed router malware going back as far as 2014.
Sources: Cisco Talos, Symantec, Kaspersky Lab