VPNFilter Malware targets over half a million networking devices worldwide

 In Botnet, IoT, Malware, News, Threat Intelligence

A new malware known as VPNFilter capable of targeting a range of routers and NAS devices rendering infected devices unusable and also capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. It specifically targets SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.

The malware has targeted devices in more than 54 countries but the main target is Ukraine. Russian government is considered to be behind the attack as the code of this malware overlaps with versions of the BlackEnergy malware which targeted Ukraine. It is also believed that it is a part of a large attack against Ukraine on its Constitution day June 28.

VPNFilter is a multi-staged piece of malware:

Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

Stage 3 modules acts as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

To avoid getting attacked it is important to update the firmware of the devices in the environment and change the default passwords. Also, as a prevention ensure that remote management is disabled on the routers. If the device is infected rebooting the device will remove Stage 2 and Stage 3 elements present on the device. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1.

Indicators of Compromise

Category TypeV alue Comment
Network activity url photobucket.com/user/nikkireed11/library Associated with 1st stage
Network activity url photobucket.com/user/kmila302/library Associated with 1st stage
Network activity ip-dst 46.151.209.33 Associated with 2nd stage
Network activity url photobucket.com/user/suwe8/library Associated with 1st stage
Artifacts dropped sha256 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92 1st stage malware
Artifacts dropped sha256 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17 2nd stage malware
Network activity ip-dst 91.214.203.144 Associated with 2nd stage
Network activity url photobucket.com/user/katyperry45/library Associated with 1st stage
Artifacts dropped sha256 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4 2nd stage malware
Artifacts dropped sha256 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d 2nd stage malware
Network activity url photobucket.com/user/eva_green1/library Associated with 1st stage
Network activity ip-dst 217.79.179.14 Associated with 2nd stage
Network activity url photobucket.com/user/amandaseyfried1/library Associated with 1st stage
Artifacts dropped sha256 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec 1st stage malware
Artifacts dropped sha256 d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e 2nd stage malware
Artifacts dropped sha256 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387 2nd stage malware
Network activity url photobucket.com/user/bob7301/library Associated with 1st stage
Network activity ip-dst 82.118.242.124 Associated with 2nd stage
Network activity domain toknowall.com Associated with 1st stage
Network activity url photobucket.com/user/monicabelci4/library Associated with 1st stage
Network activity ip-dst 94.185.80.82 Associated with 2nd stage
Network activity url photobucket.com/user/lisabraun87/library Associated with 1st stage
Network activity ip-dst 5.149.250.54 Associated with 2nd stage
Network activity url photobucket.com/user/jeniferaniston1/library Associated with 1st stage
Artifacts dropped sha256 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1 2nd stage malware
Network activity ip-dst 94.242.222.68 Associated with 2nd stage
Network activity url photobucket.com/user/millerfred/library Associated with 1st stage
Network activity ip-dst 195.154.180.60 Associated with 2nd stage
Artifacts dropped sha256 f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344 3rd stage plugins
Network activity ip-dst 91.121.109.209 Associated with 2nd stage
Artifacts dropped sha256 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b 2nd stage malware
Artifacts dropped sha256 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b 2nd stage malware
Network activity ip-dst 91.200.13.76 Associated with 2nd stage
Artifacts dropped sha256 afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719 3rd stage plugins
Network activity ip-dst 62.210.180.229 Associated with 2nd stage
Network activity ip-dst 95.211.198.231 Associated with 2nd stage
Network activity url zuh3vcyskd4gipkm.onion/bin32/update.php Associated with 2nd stage
Network activity url photobucket.com/user/saragray1/library Associated with 1st stage
Network activity ip-dst 217.12.202.40 Associated with 2nd stage

Known Affected Devices

LINKSYS Devices:

  • E1200
  • E2500
  • WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

  • 1016
  • 1036
  • 1072

Netgear Devices:

  • DGN2200
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000

QNAP Devices:

  • TS251
  • TS439 Pro

TP-LINK Devices:

  • R600VPN

How to mitigate them:

  • Apply the latest firmware updates to the devices in the environment.
  • Run a router healthcheck.
  • Change default passwords.
  • Ensure that remote management is turned off on their router.
  • Block the hashes, URL’s and IP’s mentioned in the IOC’s
  • Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.
  • Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.
  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf.
  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
  • Stage 1 Inspection:
    • Inspects all TCP/IPv4 packets with a SYN flag set
    • Checks that the destination IP matches what it found when the listener opened (Note: if the listener failed to get an IP from api.ipify[.]org it will skip this check)
    • Makes sure the packet has eight or more bytes
    • Scans the data for the bytes \x0c\x15\x22\x2b
    • The bytes directly after that 4-byte marker are interpreted as an IP so \x01\x02\x03\x04 becomes -> 1.2.3[.]4
    • Calls out to the newly received IP as usual for stage 2
    • Confirms that stage 2 is at least 1,001 bytes (Note: this is much smaller than the other callout methods which require the stage 2 to be 100,000 or more)
VPNFILTER SPECIFIC SNORT DETECTION:

45563 45564 46782 46783

SNORT RULES THAT PROTECT AGAINST KNOWN VULNERABILITIES IN AFFECTED DEVICES:

25589 26276 26277 26278 26279 29830 29831 44743 46080 46081 46082 46083 46084 46085 46086 46287 46121 46122 46123 46124 41445 44971 46297 46298 46299 46300 46301 46305 46306 46307 46308 46309 46310 46315 46335 46340 46341 46342 46376 46377 37963 45555 46076 40063 44643 44790 26275 35734 41095 41096 41504 41698 41699 41700 41748 41749 41750 41751 44687 44688 44698 44699 45001 46312 46313 46314 46317 46318 46322 46323 40866 40907 45157

References:
  • https://blog.talosintelligence.com/2018/05/VPNFilter.html
  • https://www.cnet.com/news/hackers-infected-over-500000-routers-with-potential-to-cut-off-internet-access/
  • https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
  • https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware
  • https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
  • https://www.cnbc.com/2018/05/23/cisco-warns-500000-routers-hacked-in-suspected-russian-attack.html
  • https://www.virustotal.com/#/file/9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17/detection
Header image from wired.com
Recommended Posts

Start typing and press Enter to search