VPNFilter Malware



The 23rd of March 2018, Talos Intelligence published a research about a critical malware spreading across internet using SOHO internet devices like modem/router/firewall.

The study shows that at this time at least 500K devices has been infected by this malware, by using well known (and different) bugs present on the firmware of the targets. Right now is not clear who is actually carrying on this attack, even if it looks that Ukraine is one of the most infected countries.

The code of the attack has several overlap with an older malware dubbed “BlackEnergy”, targeting especially Ukraine as well.

The malware infeinfection is done in 3 stages:

fasi infezione

In the first stage the malware infects the device by loading a “BusyBox” based executable, compiled for the various architectures targeted by the attack. This is a persistent part of the malware.

Once the device is infected, the second stage tries to get in touch with C&C server to get commands to be executed. There are several commands isolated during the analysis, some of them have potential destructive capability on the device itself (overwriting the device flash):

  • kill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively bricking it).
  • exec: Executes a shell command or plugin.
  • tor: Sets the Tor configuration flag (0 or 1).
  • copy: Copies a file from the client to the server.
  • seturl: Sets the URL of the current configuration panel.
  • proxy: Sets the current proxy URL.
  • port: Sets the current proxy port.
  • delay: Sets the delay between main loop executions.
  • reboot: Reboots the device if it has been up for more than 256 seconds, and the build name is specified in the parameter.
  • download: Downloads a URL to a file. This can be applied to all devices or just a certain build name.

This looks like a very sophisticated attack, targeting more end-users or small organizations. The potential of such a botnet must be kept under control in any case.

The 24th of May, a new has been published: “FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.”

Vulnerable devices:

At this time the list of know vulnerable devices is the following:

Linksys Devices:

  • E1200
  • E2500
  • WRVS4400N

Mikrotik RouterOS Versions for Cloud Core Routers:

  • 1016
  • 1036
  • 1072

Netgear Devices:

  • DGN2200
  • R6400
  • R7000
  • R8000  
  • WNR1000
  • WNR2000

QNAP Devices:

  • TS251
  • TS439 Pro


Right now some of the known IoC for this malware are the following (look at talos site in references for a complete list):

  • Associated with the 1st Stage
    • photobucket[.]com/user/nikkireed11/library
    • photobucket[.]com/user/kmila302/library
    • photobucket[.]com/user/lisabraun87/library
    • photobucket[.]com/user/eva_green1/library
    • photobucket[.]com/user/monicabelci4/library
    • photobucket[.]com/user/katyperry45/library
    • photobucket[.]com/user/saragray1/library
    • photobucket[.]com/user/millerfred/library
    • photobucket[.]com/user/jeniferaniston1/library
    • photobucket[.]com/user/amandaseyfried1/library
    • photobucket[.]com/user/suwe8/library
    • photobucket[.]com/user/bob7301/library
    • toknowall[.]com
  • Associated with the 2nd Stage
    • 91.121.109[.]209
    • 217.12.202[.]40
    • 94.242.222[.]68
    • 82.118.242[.]124
    • 46.151.209[.]33
    • 217.79.179[.]14
    • 91.214.203[.]144
    • 95.211.198[.]231
    • 195.154.180[.]60
    • 5.149.250[.]54
    • 91.200.13[.]76
    • 94.185.80[.]82
    • 62.210.180[.]229
    • zuh3vcyskd4gipkm[.]onion/bin32/update.php 

Identification of the malware could be a bit difficult for end users, since the infected device is usually the one at the network border. For this reason is very important for ISP to be vigilant on suspect traffic about this, to be able to inform the owners of the affected devices.

Talos also released a set of Snort signatures available to identify the presence of the vulnerabilities.