Skip to main content

New Abilities, Targets of VPNFilter Malware Disclosed

by Chris Brook on Wednesday June 6, 2018

Contact Us
Free Demo

Researchers warned Wednesday that VPNFilter, the strain of potentially destructive malware uncovered last week, can infect more devices than previously thought. It also has the ability to intercept network traffic and deliver malicious payloads via a man-in-the-middle attack.

VPNFilter, the malware that was found running rampant on 500,000 hacked routers across 54 countries last month, can infect more devices than initially thought.

Researchers with Cisco's Talos divulged new details around the malware on Wednesday, including the fact that VPNFilter can also infect devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The researchers previously disclosed the malware was targeting routers by Linksys, Mikrotik, Netgear, TP-Link, along with network attached storage devices made by QNAP.

The malware can also allow an attacker to deliver exploits to endpoints via a man-in-the-middle attack. By injecting malicious content into web traffic an attacker could infect more than just an vulnerable device but the entire network it sits on, Cisco researchers said Wednesday.

The module that carries that out, dubbed "ssler" by researchers, can also strip encryption from HTTPS sessions.


The Definitive Guide to Data Classification

Perhaps more troubling, another new module, dstr, can render devices inoperable by removing files needed to run.

"The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis," Cisco researchers wrote Wednesday.

Researchers with the firm said last week the malware had a "kill" command that could've been used to essentially brick devices. The new dstr (device destruction) module, which Talos refers to as a stage 3 module, allows any stage 2 module that doesn't have the "kill" command ability, to disable the device.

Cisco said last week the malware had two other modules that had the ability to sniff network traffic and track Modbus TCP/IP packets and communicate with command and control servers via the Tor network.

The FBI and DOJ helped lessen the malware's blow last Wednesday after it seized control of a server connected to its botnet but the threat around the malware hasn’t completely gone away.

Following the disruption the FBI urged users to reboot their routers but that alone is not enough to completely rid devices of VPNFilter. Rebooting will remove stage 2 and 3 modules but stage 1 will persist even after a router is rebooted. Users looking to truly eradicate the malware will need to wipe its custom settings with a factory reset - usually achievable via a button on the back of devices – and change its password.

Talos researchers warn the latest revelations, especially the fact the malware can inject malicious content into web traffic, is concerning.

If an attacker was able to infect a network they could “deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware,” William Largent, a threat researcher with Talos warned.

Tags:  Security News Malware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.