Security Experts:

New VPNFilter Modules Reveal Extensive Capabilities

The recently discovered VPNFilter malware has even more capabilities than previously thought, researchers at Cisco Talos determined after identifying seven new modules.

VPNFilter’s existence was brought to light in May after the malware was analyzed by several cybersecurity firms. The malware infected at least half a million routers and network-attached storage (NAS) devices across more than 50 countries – it targets over 50 types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

Discovery of New VPNFilter Modules Shows New Malware Capabilities

The malware, whose main target appears to be Ukraine, has been linked to Russia. Cybersecurity firms and authorities in the United States have taken steps to neutralize VPNFilter, but Cisco Talos, which has spearheaded the investigation, says it can still be difficult to detect the malware in the wild.

The modules found initially by researchers allow VPNFilter to intercept data passing through the compromised device, monitor the network for communications over the Modbus SCADA protocol, and make an infected device unusable. Additional modules described later by Talos are designed for data exfiltration and JavaScript injection, and removing the malware from a device.

Talos has now published the results of its analysis into seven other VPNFilter modules that allow attackers to map networks and exploit endpoints connected to infected devices, obfuscate and encrypt data exfiltration and C&C communications, find new potential victims that can be reached from a compromised device, and build a distributed network of proxies that may be useful in other operations for obfuscating the source of attack traffic.

The company has shared detailed technical information for each of the newly analyzed modules.

The discovery and analysis of these modules has answered most unanswered questions about the malware itself, Talos said, but researchers have yet to determine exactly how the malware gains initial access to devices. While it doesn’t have definitive proof, Talos believes the most likely attack vector is through the exploitation of known vulnerabilities affecting devices.

Another question that remains unanswered is whether the threat group behind VPNFilter is trying to regain access. While some researchers reported in early June that the hackers controlling the botnet had continued targeting routers in Ukraine, Talos now says VPNFilter appears to have been completely neutralized.

However, the adversary may have not abandoned the foothold it gained into small and home office (SOHO) networks, and it might be trying to regain access to devices by re-exploiting vulnerabilities and dropping a new piece of malware.

“Have they given up on having broad worldwide SOHO access in favor of a more tailored approach only going after specific key targets?” Talos said. “Whatever the answers may be, we know that the actor behind VPNFilter is extremely capable and driven by their mission priorities to continually maneuver to achieve their goals. In one form or another, they continue to develop and use the tools and frameworks necessary to achieve their mission objective(s).”

Related: FBI Attribution of 'VPNFilter' Attack Raises Questions

Related: VPNFilter Malware Hits Critical Infrastructure in Ukraine

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.