VPNFilter Malware Adds 7 New Network Exploitation Modules

4 Min Read

Security researchers have found even more capable features in VPNFilter, the sophisticated malware that infected 500,000 routers worldwide.

Ascribed to Russia’s APT 28, otherwise called ‘Fancy Bear,’ VPNFilter is a malware  intended to infect routers and NAS equipment from 75 brands including Linksys, D-Link, Huawei, ZTE, Ubiquiti, UPVEL, MikroTik, Netgear, TP-Link, QNAP and ASUS,

In May, when VPNFilter contaminated a large portion of routers and NAS devices in 54 countries, the FBI siezed a key and control domain utilized by the malware and requested that individuals reboot their equipment.

At first, it was discovered that VPNFilter had been made with different attack modules that could be used on the infected routers to take website credentials and survey the industrial controls or SCADA frameworks, for example, those utilized in electric frameworks or manufacturing plants.

In any case, in a report published by Cisco’s Talos Intelligence security group, experts said they dug into ongoing VPNFilter cases of usage and discovered seven new  modules that can even exploit the systems of infected routers that they are used with. This, in the long run enables the attackers to take information and make an remote location under their control, which they will use as a servers for future attacks.

Here is the List of Newly Discovered VPNFilter Modules:

These are VPNfilter modules uncovered by Talos researchers that add significant functionality to the VPNFilter malware:

htpx — This module diverts and reviews HTTP correspondences with a mean to recognize the presence of Windows executables in the system. Specialists agree that this module could be utilized by attackers to introduce malicious code into binary files as they pass through infected device.

ndbr — This module is a multifunctional secure shell (SSH) utility that enables a remote attacker to turn compromised device into an SSH server, client, or an NMAP port scanner.

nm — This is a network mapping module that can be used to perform reconnaissance from the infected devices.

netfilter — This module is a d-o-s tool that allows an attacker to set IPtables rules into firewall and manipulate ingoing and outgoing sets of network addresses.

portforwarding — This module forwards network traffic to a specified VPS, allowing attackers to intercept connections.

socks5proxy — This module sets up a SOCKS5 proxy on the  device, allowing attackers to build a distributed network of proxies that could be used in future attacks.

tcpvpn — This module sets up a Reverse-TCP VPN on the compromised device, allowing remote attackers to access internal networks and systems.

Talos researchers released “Winbox Protocol Dissector” plugin on GitHub to let network engineers analyze Winbox traffic, using Wireshark or similar tools, and monitor use of the exploited protocols by VPNFilter.

Since users can dispose the second stage attack by rebooting their devices, the first stage of attack still remains active, enabling attackers to restore associations with the rebooted gadget and reinstall the second phase of VPNFilter remotely.

In conclusion, Talos analysts had high certainty that the Russian government was behind VPNFilter as the malware code uses some similarities with BlackEnergy malware in attacks of extensive scale that were launched against targets in Ukraine.

Share This Article
Leave a comment