VPNFilter Malware Infects 500k Routers Including Linksys, MikroTik, NETGEAR

Malware called VPNFilter has infected 500,000 router brands ranging from Linksys, MikroTik, NETGEAR and TP-Link that are mostly used in home offices. Researchers at Cisco Talos said they decided to warn the public of the threat despite the fact the infected devices and malware are still under investigation.

Researchers said their investigation into VPNFilter has been over the last several months and included both law enforcement and private-sector intelligence partners. “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves,” researchers wrote in a Wednesday post.

Talos believes the attacks are being perpetrated by state-sponsored or state-affiliated actors and that an attack leveraging those compromised devices could be “imminent.” Researchers can’t say for sure who is behind VPNFilter, but say code used by the malware authors overlap with BlackEnergy malware used in previous attacks in the Ukraine. Currently, VPNFilter malware has been found mostly on devices in the Ukraine, but also in 54 additional countries.

“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols,” researchers wrote.

Researchers said the malware has destructive capabilities that allow an attacker to either infect a device or render it unusable. “[This] can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the report stated.

More troubling to researchers, as of Thursday they “observed another substantial increase in newly acquired VPNFilter victims focused in Ukraine.”

The malware itself is multi-staged with phase one including VPNFilter targeting a number of CPU architectures of devices running firmware based on Busybox and Linux.

“The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices,” Talos wrote.

Researchers said that this method of achieving persistence differs from other similar IoT malware such as Mirai. The Mirai malware could be removed from a device with a simple reboot. VPNFilter, on the other hand, “is capable of modifying non-volatile configuration memory values and adds itself to crontab, the Linux job scheduler, to achieve persistence,” according to the report.

After the malware has burrowed its way into a system’s memory, it begins to download an image from the image hosting site Photobucket, or from the domain toknowall[.]com as a backup. From the image downloaded, the malware extracts an IP address embedded in the image’s EXIF metadata that is used as a “listener” for the malware to receive instructions to initiate stage two.

“The stage 2 malware first sets up the working environment by creating a modules folder (/var/run/vpnfilterm) and a working directory (/var/run/vpnfilterw). Afterward, it will run in a loop, where it first reaches out to a C2 server, and then executes commands retrieved from the C2,” researchers wrote.

Malicious capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

A third stage of the malware has also been observed where attackers leverage as many as two plugin modules – a packet sniffer and a communication plugin. Both leverage ToR to cloak communications. The packet sniffer module is capable of intercepting network traffic through a “raw socket” and looks for strings used in HTTP basic authentications. “This allows the attackers to understand, capture, and track the traffic flowing through the device,” researchers said.

Links made to the Russian-speaking actors with the BlackEnergy APT group were made when Cisco Talos researchers closely examined the malware’s encrypted binaries. “Analysis of this RC4 implementation shows that it is identical to the implementation used in BlackEnergy, which is believed by law enforcement agencies to originate with a state actor,” researchers stated.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos researchers said.