Cisco’s Talos Intelligence group has found several more capabilities in the VPNFilter malware that infected 500,000 routers worldwide earlier this year and sparked fears that Russia was planning a massive attack on the Ukraine.
The malware was notable because it allowed an attacker to destroy one or many infected routers at once, potentially cutting off access to the internet for hundreds of thousands of households and small businesses.
VPNFilter affected Linksys and Netgear routers, but Talos Intelligence’s research has since focussed on MikroTik-branded routers in Ukraine since these appeared to be the prime targets of the attackers.
The research focused on Mikrotik’s administration utility, called Winbox, and the protocol it uses, which helped uncover seven new third-stage modules, one of which made it more effective to attack devices behind network routers and switches. Others include features that encrypted command and control traffic and traffic being siphoned off network devices.
The work also found networking mapping tools that can help identify additional devices that can be compromised after a network has been penetrated, and yet more tools to pinpoint edge devices on other networks that may have been of interest to the attacker.
“The sophisticated nature of this framework further illustrates the advanced capabilities of the threat actors making use of it,” Talos Intelligence researchers noted.
The module “httpx” redirects and inspects HTTP traffic content that passes through infected devices and is the module capable of exploiting endpoints.
“We identified that the module inspects HTTP communications to identify the presence of Windows executables,” they noted.
The executable is then flagged and added to a table, which the attackers most likely then used in order to manipulate Windows executables as they pass through compromised devices.
Another module called “ndbr” is a modified version of the dropbear SSH server and client, while “nm” provided network mapping capabilities from infected devices.
“Netfilter” was a denial of service tool, which could block access to encrypted apps, including WhatsApp, QQ Chat maker Tencent, and several more apps that use Amazon infrastructure, such as Wikr, Signal, Dust, and Confide. Notably absent from this list was Telegram.
“This indicates that the netfilter module may have been designed to deny access to specific forms of encrypted applications, possibly in an attempt to herd victim communications to a service that the actor preferred they use,” the researchers note.
Another module called “tcvpn” made it possible to set up a reverse-TCP VPN on compromised devices, allowing the attacker to remotely access internal networks begin infected devices. This module’s design is similar to VON Pivoting, a feature of the penetration testing software kit Cobalt Strike.
Cisco’s researchers still have no proof of the exact way the attackers installed VPNFilter on so many routers but they suspect the attackers used publicly known vulnerabilities, such as CVE-2018-14847, which affected MikroTik equipment and was widely-used in malware campaigns throughout April, a month prior to the FBI’s takedown.
The researchers believe VPNFilter has for the most part been neutralized and that most questions about the malware have now been answered.