Researchers at Cisco Talos discovered a sophisticated IoT Botnet malware named VPNFilter which has already infected at least 500,000 devices in at least 54 countries.
VPNFilter is multistage modular malware which is named after the directory (/var/run/vpnfilterw) which malware creates to hides its files on the infected device. The malware is capable of stealing website credentials and monitoring industrial control systems.
“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide” said in the blog post.
Working of VPNFilter Malware
In the 1st stage of malware persists through a reboot to gain a persistent foothold and enable the deployment of the stage 2 malware.The malware also uses the command and control server to find the IP address of the current stage 2 deployment server.
In the 2nd stage, the VPNFilter malware possesses capabilities like file collection, command execution, data exfiltration and device management.
The malware contains multiple stage 3 modules which serve as the plugin for the malware. At the time researchers are aware of only two module. First one is a packet sniffer which collects traffic that passes through the device includes theft of website credentials and monitoring of Modbus SCADA protocols.
The second is a communication module which helps stage 2 to communicate over Tor. The malware also contains a self-destruct feature which deletes the malware and makes the device unusable.
According to the researchers although devices across 54 countries are infected the attackers are specifically targeting Ukraine. On May 8 there was a significant rise in infection activity in Ukraine almost all newly infected victims were located in Ukraine.
The researchers also spotted a code overlap between VPNFilter and BlackEnergy which was responsible for multiple large-scale attacks against Ukraine.
As the research is still ongoing the full list of infected device is still unknown as far as now most of the infected device are small and home office devices, as well at QNAP network-attached storage (NAS) devices from Linksys, MikroTik, NETGEAR, and TP-Link.
If your device is infected users are requested to reset their device to default setting to remove the malware and update their device with the latest patch available.