VPNFilter Malware Effect Larger Than Previously Thought

Researchers say the impact of the VPNFilter malware discovered last month is larger than originally reported.

On Wednesday, Cisco Talos researchers said they now believe the malware has infected twice the number of router brands than previously stated. They added that VPNFilter also delivers a more potent punch than they originally thought, and have identified a previously unidentified malicious malware module.

On May 23, Talos researchers first reported that Russian-speaking threat actors, with links to the BlackEnergy APT group, were behind the VPNFilter malware that infected 500,000 router brands (ranging from Linksys, MikroTik, NETGEAR and TP-Link as well as small office network attached storage (NAS) devices).

At the time, known malicious capabilities of VPNFilter included bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

In updated research, Cisco Talos said the range of targeted routers now includes those made by manufacturers ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE, bringing the total number of router models targeted by VPNFilter adversaries to 75.

“These new discoveries have shown us that the threat from VPNFilter continues to grow,” Talos wrote in a technical breakdown of the malware on Wednesday.

A closer examination of VPNFilter also demonstrates that the malware has the capability to infect more than the targeted routers and NAS devices — and can traverse into the networks that those devices support.

“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware,” researchers wrote.

To boot, Talos said that it has found a new stage-three module capable of injecting malicious content into web traffic as it passes through targeted network devices. Researchers identified the module as “ssler,” or an “endpoint exploitation module — JavaScript injection.”

“At the time of our initial posting, we did not have all of the information regarding the suspected stage-three modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge),” researchers wrote.

An additional “dstr” (device destruction module) component to the malware was also identified, which is “used to render an infected device inoperable by deleting files necessary for normal operation,” researchers wrote. “It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis.”

Lastly, researchers discussed new insights into a stage-three packet-sniffer module that they said was targeting industrial control system traffic. The sniffer specifically singled out the SafeStream Gigabit Broadband VPN router TP-LINK R600VPN.

“VPNFilter is still in full force, in the wild, infecting a broader set of devices than known previously, which makes it quite concerning still,” wrote Derek Manky, global security strategist with Fortinet FortiGuard Labs, in an email. “This is a good example of how even exposed campaigns can continue to move with velocity.”