On May 23, 2018, Talos Group released its analysis of an ongoing malware attack it named “VPNFilter.” The Talos analysis indicates that this attack was first identified in 2016 and, as of June 2018, has compromised more than 500,000 endpoints. The compromised endpoints themselves are predominantly small office or home office (SOHO) routers; however, network attached storage (NAS) offerings like QNAP, a common SOHO NAS appliance, have also been targeted.
Furthermore, VPNFilter shows similarities in code and functionality to BlackEnergy malware. BlackEnergy effectively targeted industrial enterprise networks and was responsible for the December 2015 Ukraine power grid cyberattack that left 80,000 people without power for more than six hours. Like BlackEnergy, VPNFilter maintains a Supervisory Control and Data Acquisition (SCADA) monitoring plug-in that operators can configured.
The severity of VPNFilter’s malicious potential is further exacerbated as attackers appear to be spreading the malware manually, and no complex automated targeting features have yet been detected. (Symantec’s analysis has more on this.) The malware also maintains a robust toolset capable of performing several remote actions indicative of heavily controlled malware including:
- DDoS attacks
- Command execution
- SCADA monitoring
- Network sniffing
- Credential stealing
- Tor proxy connections
- Data erasure
- Device destruction
VPNFilter, much like BlackEnergy, has targeted Ukrainian organizations. Evidence reveals that the malware’s supporting infrastructure maintains a single command and control (C2) server through which a majority of identified compromised Ukrainian organizations communicate. VPNFilter’s scope appears to expand beyond Ukraine, however, as there are known compromised network devices across 54 unique countries. Security Week released an article on May 28, 2018 drawing connections between the BlackEnergy code sharing and Ukrainian targeting as common Russian activity.
The Current State of VPNFilter Malware
VPNFilter is difficult to detect because it predominantly targets embedded network appliances that traditionally sit at the edge of a network outside of the majority of network monitoring appliances. Most devices compromised by VPNFilter are generic devices made from the following companies: Linksys, MikroTik, NETGEAR, and TP-Link. A complete listing of the known SOHO device models vulnerable to VPNFilter is available at the end of this blog post.
SOHO environments are not usually monitored or managed on an ongoing basis, and the inherently poor security hygiene typical of these devices certainly doesn’t help. To make matters worse, VPNFilter targets devices are built on BusyBox or Linux firmware, opening the door for additional IoT-style devices to fall into the scope of VPNFilter’s reach.
VPNFilter Malware Analysis
VPNFilter malware comprises of a three-staged execution with each stage performing a specific functionality:
In stage 1, the malware gains control of the device and establishes persistence. It is important to note that stage 1 is the only stage that establishes persistence on an infected device. Persistence is achieved by modifying the NVRAM memory and the creating a cronjob. The ability for VPNFilter to create persistence differentiates itself from other IoT-style malware as it remains on the device after a reboot.
Stage 1 exists purely to install stage 2. To achieve installation, the malware establishes an encrypted connection through SSL to the legitimate website: photobucket.com. (A complete list of compromised Photobucket accounts is available below.) Should a compromised device successfully connect to one of the Photobucket images, stage 1 will scrape the image’s EXIF metadata for its latitude and longitude coordinates. These coordinate values are binary value representations of a VPNFilter’s C2 system. Stage 1 will then use the C2 IP address to download stage 2. (To learn how the stage 1 malware decodes the IP addresses from the GPS coordinates, Kaspersky SecureList Blog wrote a detailed description of this process.)
If stage 1 is unable to acquire a working C2 address from the Photobucket addresses, the malware will attempt to follow the same process via a backup domain, toknowall[.]com. If this attempt is also unsuccessful, the stage 1 malware will enter a listen-only mode in which it will listen to all inbound packets with the device’s destination IP address that have the SYN flag set. If a packet matches, stage 1 scans for the byte value \x0C\x15\x22\x2B. If this is a successful match, stage 1 will extract the next four bytes, each of which represents an IPv4 octet represented in a one-byte integer. By combining these bytes, the address for a C2 system containing the stage 2 malware for download can be recovered. Stage 1 initiates a final action of performing a size-check to ensure that the stage 2 file has at least 1,001 bytes of data to perform its function.
Stage 2 contains the bulk of functionality for the VPNFilter malware. It is important to note that this stage does not maintain persistence on the device in and of itself. If the device were to reboot, the malware would no longer be present on the device and stage 1, which is persistent, would have to download stage 2 again. Coincidently, the malware also relies on this non-persistence to function as a failsafe measure. The functions stage 2 can perform are pulled from the malware’s switch options, which include:
- Kill: Rewrites the first 5000 bytes of the /dev/mtdblock0 with binary zeros — bricking the device
- Exec: Provides shell capabilities
- Tor: Establishes Tor functionality
- Copy: Copies data from the device to the C2 server
- Seturl: Alters the configured URL
- Proxy: Sets current proxy URL
- Port: Sets the current proxy port
- Delay: Sets time delay between executions
- Reboot: Reboots the device
- Download: Downloads a given URL to a file
Given the above commands, the attacker can download additional tools, exfiltrate data from the device, alter the communication paths (including URLs and ports), and break the device by rewriting the boot records of the device followed by a restart.
Perhaps the most interesting aspect of this particular stage is the attacker’s ability to direct traffic through a Tor infrastructure. This capability allows the device to communicate over an encrypted and anonymized proxy network, masking attribution and preventing network sniffing of device communications. It appears the attacker can turn this functionality on and off at will. The ability to enable Tor communications also leads to stage 3 of the malware.
Stage 3 is considered the plug-in stage, providing the stage 2 malware with additional capabilities tailored for specific uses. As of the time the Talos post published, there were only two known plug-in modules: the Tor plug-in just discussed, and a packet sniffer plug-in.
The stage 3 sniffer plug-in can perform basic network packet monitoring centered around HTTP authentication and on the Modbus SCADA protocol. The HTTP request sniffing is known to collect website credentials, which it stores on the compromised device. The collected credentials can be used to enable future network compromise. Additionally, the sniffing plug-in can monitor the ModBus protocol used to display system statistics and data in a human-readable manner from SCADA systems. The plug-in monitors SCADA system data and saves this data to the compromised device, storing the data within the VPNFilter working directory.
This SCADA-monitoring plug-in highlights the close ties with the BlackEnergy trojan previously mentioned.
How to Mitigate VPNFilter Malware
Talos provides two steps to mitigate a VPNFilter compromise:
- Reset devices to factory settings and reboot.
- Patch and update routers with the latest firmware.
Rebooting network devices alone will not remove the infection completely. Rebooting the device will only remove stage 2 and stage 3 infections; it will not address stage 1 infections, (because this stage maintains persistence). An additional mitigation step that could be included would be to monitor traffic leaving your network perimeter.
Detect VPNFilter with LogRhythm’s AI Engine Rules
To help you detect VPNFilter, LogRhythm Labs has implemented VPNFilter malware alarms within the Current Active Threat (CAT) Module. LogRhythm Labs has also supplied customers with AI Engine rules designed to identify network communications between network devices, any of the known VPNFilter C2 infrastructure, and all of the identified URL addresses used to propagate malware across a victim network.
If you are a LogRhythm client and have enabled the CAT module, the AI Engine rules are already uploaded to your environment. Should an event regarding either C2 or URL connections occur within your environment and log sources are properly configured to collect and transmit this data to LogRhythm, the CAT : VPNFilter alarms will fire. For customers who have not upgraded to at least LogRhythm 7.3.1, or for customers who simply wish to manually import the CAT : VPNFilter rules, please click here to download the content.
Indicators of Compromise (IOCs)
The following lists delineate all of the known indicators for the VPNFilter malware:
- Linksys Devices
- TS439 Pro
Command and Control