A researcher team from Cisco found there are more than half a million router has infected by stealthy malware dubbed as VPNFilter. The researcher team called Talos have said that VPNFilter is more powerful man-in-the-middle attack which can survive over device reboot. Defined as three-stage malware, VPNFilter currently has infected over 54 countries, the number of infections could potentially increasing as VPNFilter capable infecting more variant of router and network-storage devices. As of June 2018, they found the evidence of that this destructive malware could able to infect variant model from D-Link, Huawei, QNap, UpVel, ZTE, LinkSys, MikroTik, NetGear, Asus, and TP-Link. Talos researcher dubbed the malware as VPNFilter based on one of the directories phrase (VPNFilterM and VPNFilterW) this malware creates to hide, and its nothing to do with any VPNs services.

VPNFilter is highly advanced, and multi-functional piece of malware that can survive over a reboot. The number of infections has been growing since May 17, 2018; including the two most prominent infections in Ukraine that controlled by a separated command-and-control (C2) servers. The spike and the advanced capabilities of this malware have urged Cisco’s Talos to release Wednesday’s report before the research is complete.

On the report, Cisco’s Talos mention that there is some portion of VPNFilter’s malware code overlaps with BlackEnergy because it contains a broken function involving the RC4 encryption cipher that’s identical to one located inside of BlackEnergy. The BlackEnergy was known as an all-purpose piece of spyware that used in the first stages of hacker intrusions that hit Ukraine in 2014. Cisco’s Talos, however, declined for the moment to definitively claim that the VPNFilter malware was the work of the same Russian hackers who previously targeted Ukraine. This statement is indicating another possibility that another hacker group could potentially have copied and reused the same code snippet from BlackEnergy. Also, the code overlap isn’t proof VPNFilter was developed by the Russian government. Cisco’s Talos report provided no further attribution to the attackers other than to say they used the domains ToKnowAll[.]com and API[.]IPify[.]org — and IP address

Experts have given moderate to high confidence that the VPNFilter was the work of Advanced Persistent Threat 28, also known as Fancy Bear, Sofacy Group, Pawn Storm, and Sednit, because of the reuse of code seen in the BlackEnergy malware that previously targeted Ukraine, and because it is using Modbus SCADA.

The Infection Mechanism

The routers or network-compatible storage devices are the targets for this malware because of these two reasons: (1) most (home and SOHO) devices are sitting outside the Firewall; and (2) they rarely receive software updates. Besides potential future malware attacks, these two reasons also address the routers to vulnerabilities that can allow remote hackers to take them over. Exact mechanism on how VPNFilter spread and infects its devices targets isn’t yet apparent. It is also difficult to tell if your device infected with VPNFilter either.

This sophisticated malware is using ssler (pronounced as “esler”) to manipulating the content delivered by websites to the endpoints. Besides modifying the content, this malware also stealing user credentials transmitted over the wire by downgrading the HTTPS connection to plaintext HTTP traffic. This has been made possible since ssler module can give a signal that the endpoint is not capable to use an encrypted connection. Including making special accommodations for traffic destined from/to Google, Facebook, Twitter, and YouTube.


The three-stages of VPNFilter malware define are as follows:

Stage One

This stage is installed first and allows VPNFilter to stay persistent even after the router is restarted. This malware infects devices running Busybox- and Linux-based firmware and is sophistically compiled for several CPU architectures. The Stage One primary purpose is to locate an attacker-controlled server on the Internet to obtain a more fully featured before it can reach Stage Two. This stage trying to finds the attacker-controlled server by downloading an image from Photobucket.comand extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field on the image meta-data field. Alternatively, when the Photobucket download fails, Stage One will try to proceed by downloading the image from ToKnowAll[.]com.

If both of these attempts fail, Stage One continues the act as a “listener” that waits for a particular trigger packet from the attackers, following checks this router public IP from API[.]IPify[.]org and stores it for future use. The Stage One processes persisted even after this device is restart.

Stage Two

Talos described Stage Two as a “workhorse intelligence-collection platform” that performs file collection, command execution, data exfiltration, and device management. Stage Two also contains a self-destruct capability that mostly renders the router non-functional by overwrites a critical portion of the device’s firmware, reboots the machine, and making it unusable. Talos believe that, even without the built-in kill command, the attackers can use Stage Two to destroy devices manually (remotely). This potentially could both knock users and companies offline.

Stage Three

Stage Three currently consists of two plugins that can be installed into the malware folder that enables VPNFilter to perform different functions such as sniff the network, monitor SCADA communication, and to communicate over TOR (anonymously). Cisco researchers believe Stage Three contains other plugins that have yet to be discovered.

The capabilities built into two plugins and the three-stages of the malware are incredibly versatile and would facilitate the actor to take advantage of devices in multiple ways.

While Stage One will run again after a router is rebooted, Stage Two and Three will not. For this reason, the FBI has suggested that everyone restart their router to disable Stage Two and Stage Three and also to allow the FBI to get a list of infected victims and the types of routers that are affected. The only real way to entirely remove this infection is to reset your router back to factory defaults, which will also reboot the router. Unfortunately, this process will require you to setup your router again, add an admin password, and set up any wireless networks that are configured.



Capabilities and Impact

The VPNFilter modular framework allows for quick changes to the actor’s operational infrastructure, assisting their goals of misattribution, data collection, and discovering a platform to conduct attacks.

The VPNFilter malware also makes it feasible for the actor to obscure themselves by using the devices as common points for connecting to final targets. The researchers also said they revealed evidence that the VPNFilter includes a command to permanently disable the devices, an ability that would allow the attackers to cripple Internet access for an unlimited number of users and companies worldwide or even in a specific region.

The VPNFilter’s firmware-corrupting capability creates possibilities for the actor behind the router malware for planning a mass disruption that might take down enormous numbers of networks concurrently.

Cisco’s Talos in early May 2018 noticed infected machines aggressively scanning TCP ports 23, 80, 2000, and 8080 ports which typically associated with Mikrotik and QNAP NAS systems, across more than 100 countries. Things got escalated on May 8 and May 17 after VPNFilter infections spike  – mainly in Ukraine. This spike situation urged Talos going public with its findings even before it had full knowledge of the attacks and the vulnerabilities exploited.

The sniffer feature seems to watch for communications over the ModBUS SCADA protocol that used for controlling automated equipment and internet-of-things devices. This malware potentially to be used to create an extensive, hard-to-attribute nation-wide infrastructure that can be used to serve multiple operational demands of the threat actor.

In short, the VPNFilter capabilities are as follows:

  • Monitor your online communications, including communications from your Internet-of-Things and SCADA network. Also potentially steal your websites login credentials;
  • Overwrite your router’s firmware to turn it into a useless brick and will disconnect you from the Internet for an extended period;
  • Using your router or network-capable storage platform to infect other devices. Eventually, this infected devices can launch organized DDoS attacks against other servers; and
  • Continuously advanced its plugins as it sent by the creator of this malware.

How to remove VPNFilter and protect your router or NAS

To completely remove VPNFilter and leveraging protection for your router and network-capable storage devices, please follow these steps precisely in these sequences:

  1. Reboot the router or network-storage capable device to remove stage two and three routines VPNFilter.
  2. Reset the router back to its Factory Defaults configuration. Please refer to the device user manual or your ISP for how-to perform resetting configuration. This process will do complete wipe your current router configuration.
  3. Perform upgrade process to the latest firmware.
  4. Re-configure your router. Change the default administrator password. Then disable Remote Administration on this device.
  5. Schedule daily or weekly reboot for this device to mitigate future infection possibilities.

While these steps will eliminate the VPNFilter from your device and at the same time leveraging protection from current known threats, they are not going to protect you forever. As new potential exploits discovered in the current firmware, your devices will become vulnerable again. Therefore, it is always crucial to check for new firmware updates and install them when they come out. The five sequences step above can be used as a way to remove universal routers or network-capable storage malware.