A new malware known as VPNFilter capable of targeting a range of routers and NAS devices rendering infected devices unusable and also capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. It specifically targets SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
The malware has targeted devices in more than 54 countries but the main target is Ukraine. Russian government is considered to be behind the attack as the code of this malware overlaps with versions of the BlackEnergy malware which targeted Ukraine. It is also believed that it is a part of a large attack against Ukraine on its Constitution day June 28.
VPNFilter is a multi-staged piece of malware:
Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.
Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.
Stage 3 modules acts as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.
Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
To avoid getting attacked it is important to update the firmware of the devices in the environment and change the default passwords. Also, as a prevention ensure that remote management is disabled on the routers. If the device is infected rebooting the device will remove Stage 2 and Stage 3 elements present on the device. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1.
Indicators of Compromise
Category |
TypeV |
alue |
Comment |
Network activity |
url |
photobucket.com/user/nikkireed11/library |
Associated with 1st stage |
Network activity |
url |
photobucket.com/user/kmila302/library |
Associated with 1st stage |
Network activity |
ip-dst |
46.151.209.33 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/suwe8/library |
Associated with 1st stage |
Artifacts dropped |
sha256 |
0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92 |
1st stage malware |
Artifacts dropped |
sha256 |
9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17 |
2nd stage malware |
Network activity |
ip-dst |
91.214.203.144 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/katyperry45/library |
Associated with 1st stage |
Artifacts dropped |
sha256 |
37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4 |
2nd stage malware |
Artifacts dropped |
sha256 |
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d |
2nd stage malware |
Network activity |
url |
photobucket.com/user/eva_green1/library |
Associated with 1st stage |
Network activity |
ip-dst |
217.79.179.14 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/amandaseyfried1/library |
Associated with 1st stage |
Artifacts dropped |
sha256 |
50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec |
1st stage malware |
Artifacts dropped |
sha256 |
d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e |
2nd stage malware |
Artifacts dropped |
sha256 |
9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387 |
2nd stage malware |
Network activity |
url |
photobucket.com/user/bob7301/library |
Associated with 1st stage |
Network activity |
ip-dst |
82.118.242.124 |
Associated with 2nd stage |
Network activity |
domain |
toknowall.com |
Associated with 1st stage |
Network activity |
url |
photobucket.com/user/monicabelci4/library |
Associated with 1st stage |
Network activity |
ip-dst |
94.185.80.82 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/lisabraun87/library |
Associated with 1st stage |
Network activity |
ip-dst |
5.149.250.54 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/jeniferaniston1/library |
Associated with 1st stage |
Artifacts dropped |
sha256 |
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1 |
2nd stage malware |
Network activity |
ip-dst |
94.242.222.68 |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/millerfred/library |
Associated with 1st stage |
Network activity |
ip-dst |
195.154.180.60 |
Associated with 2nd stage |
Artifacts dropped |
sha256 |
f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344 |
3rd stage plugins |
Network activity |
ip-dst |
91.121.109.209 |
Associated with 2nd stage |
Artifacts dropped |
sha256 |
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b |
2nd stage malware |
Artifacts dropped |
sha256 |
4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b |
2nd stage malware |
Network activity |
ip-dst |
91.200.13.76 |
Associated with 2nd stage |
Artifacts dropped |
sha256 |
afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719 |
3rd stage plugins |
Network activity |
ip-dst |
62.210.180.229 |
Associated with 2nd stage |
Network activity |
ip-dst |
95.211.198.231 |
Associated with 2nd stage |
Network activity |
url |
zuh3vcyskd4gipkm.onion/bin32/update.php |
Associated with 2nd stage |
Network activity |
url |
photobucket.com/user/saragray1/library |
Associated with 1st stage |
Network activity |
ip-dst |
217.12.202.40 |
Associated with 2nd stage |
Known Affected Devices
LINKSYS Devices:
MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:
Netgear Devices:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP Devices:
TP-LINK Devices:
How to mitigate them:
- Apply the latest firmware updates to the devices in the environment.
- Run a router healthcheck.
- Change default passwords.
- Ensure that remote management is turned off on their router.
- Block the hashes, URL’s and IP’s mentioned in the IOC’s
- Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.
- Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.
- Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf.
- ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
- Stage 1 Inspection:
- Inspects all TCP/IPv4 packets with a SYN flag set
- Checks that the destination IP matches what it found when the listener opened (Note: if the listener failed to get an IP from api.ipify[.]org it will skip this check)
- Makes sure the packet has eight or more bytes
- Scans the data for the bytes \x0c\x15\x22\x2b
- The bytes directly after that 4-byte marker are interpreted as an IP so \x01\x02\x03\x04 becomes -> 1.2.3[.]4
- Calls out to the newly received IP as usual for stage 2
- Confirms that stage 2 is at least 1,001 bytes (Note: this is much smaller than the other callout methods which require the stage 2 to be 100,000 or more)
VPNFILTER SPECIFIC SNORT DETECTION:
45563 45564 46782 46783
SNORT RULES THAT PROTECT AGAINST KNOWN VULNERABILITIES IN AFFECTED DEVICES:
25589 26276 26277 26278 26279 29830 29831 44743 46080 46081 46082 46083 46084 46085 46086 46287 46121 46122 46123 46124 41445 44971 46297 46298 46299 46300 46301 46305 46306 46307 46308 46309 46310 46315 46335 46340 46341 46342 46376 46377 37963 45555 46076 40063 44643 44790 26275 35734 41095 41096 41504 41698 41699 41700 41748 41749 41750 41751 44687 44688 44698 44699 45001 46312 46313 46314 46317 46318 46322 46323 40866 40907 45157
References:
- https://blog.talosintelligence.com/2018/05/VPNFilter.html
- https://www.cnet.com/news/hackers-infected-over-500000-routers-with-potential-to-cut-off-internet-access/
- https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
- https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware
- https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
- https://www.cnbc.com/2018/05/23/cisco-warns-500000-routers-hacked-in-suspected-russian-attack.html
- https://www.virustotal.com/#/file/9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17/detection
Header image from wired.com