The destructive VPNFilter malware that has infected hundreds of thousands of network devices in recent weeks also has the capability to compromise endpoints on the networks where it takes up residence, and can inject malicious code into traffic passing through infected routers, researchers now say.
VPNFilter is a multistage piece of malware that targets a number of different consumer and small-office routers made by manufacturers such as Linksys, D-Link, Netgear, Asus, Mikro-Tik, Huawei, and ZTE. It has a number of features, including one that allow the malware to steal credentials and another that can render infected devices unusable. Researchers began tracking VPNFilter several months ago and first published details about it late last month, saying that it already had infected more than 500,000 devices and had some ties to the notoriously destructive Black Energy malware.
Like Black Energy, VPNFilter has targeted many victims in Ukraine and has the ability to destroy data on compromised devices. But VPNFilter mainly targets consumer-grade routers and has a different set of capabilities. VPNFilter has several different stages: one for infection and setup; a second for data collection and exfiltration and firmware destruction; and a third that comprises a series of modules used by the second stage to perform specific tasks such as packet sniffing and credential theft. Researchers have said that the VPNFilter platform has all of the hallmarks of tools used by nation state attackers.
Recently, researchers have discovered new details about the capabilities of VPNFilter, including the feature that can allow the malware to attack endpoints on an infected network.
“At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge),” researchers from Cisco’s Talos team wrote in an analysis of the malware.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”
The newly discovered module, known as ssler, allows VPNFilter to exfiltrate stolen data but also performs the malicious code injection task. The module does through a complex process that involves redirecting all port 80 traffic to its own service on the infected router. The malware then modifies any HTTPS requests passing through the router to remove the security layer.
“Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected and manipulated before being sent to the legitimate HTTP service. All HTTP requests are sslstripped,” Cisco’s analysis says.
“Any instances of the string https:// are replaced with http://, converting requests for secure HTTP resources to requests for insecure ones so sensitive data such as credentials can be extracted from them.”
VPNFilter also includes a module that can destroy several files on an infected device and make it inoperable, as well as erasing all of the files connected to the malware infection. It then removes the device’s file system and reboots the infected device. Researchers are continuing to look into VPNFilter’s operation and targets, but already the malware is showing all of the signs of the high-level malware tools used by state attackers.
“These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware,” Cisco’s Talos researchers said.