VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog.
The malware is believed to target networking devices, although the malware’s initial infection vector is still unclear. Talos, which first reported this attack, claims that it has impacted at least 500,000 networking devices during the last few years. The malware can persist on infected devices and can steal website credentials and monitor Modbus SCADA protocols. It also implements file collection, command execution, data extraction, and device management and, even worse, it can render some or all of the infected devices unusable.
The known devices affected by VPNFilter are some network-attached storage (NAS) devices such as Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP.
Malware infection stages
VPNFilter has a three-stage infection.
Stage 1 completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.
Stage 2 focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.
Stage 3 includes two known modules:
- A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
- Tor to communicate with anonymous addresses
Indicators of compromise and sample hashes
URLs and IPs
photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com
91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
91.200.13[.]76
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
91.214.203[.]144
6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
6b57dcnonk2edf5a[.]onion/bin32/update.php
File hashes
- First-Stage Malware
- 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
- 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
- Second-Stage Malware
- 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
- d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
- 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
- 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
- 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
- 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
- 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
- 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
- Third-Stage Malware
- f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
- afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719
Coverage and mitigation
The aforementioned IOCs are covered as follows:
- Detection names for files: Linux/VPNFilter and Linux/VPNFilter.a
- V3 DAT with coverage version: 3353
- V2 DAT with coverage version: 8902
- All samples are GTI classified as malware
- All relevant URLs are GTI classified
Further recommendations from the Talos threat research team:
- Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
- Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.
ISPs should work aggressively with their customers to ensure their devices are patched to the most recent firmware/