Russian router-killing VPNFilter malware more powerful than first thought

7 Jun 2018

Image: asharkyu/Shutterstock

Nasty VPNFilter malware can attack connected devices, downgrade HTTPS and render routers unusable.

A stealthy malware attack dubbed VPNFilter, which has so far hit more than 500,000 routers in 54 countries, is on the move and researchers from Cisco say that it is more powerful than originally thought.

The attack, which is believed to have originated in Russia, was previously thought to be designed to hit the endpoints of routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

‘If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware’
– TALOS INTELLIGENCE

But now, new devices are also being impacted, including routers from Linksys, MikroTik, Netgear and TP-Link.

A poison pill

Cisco’s Talos Intelligence has warned that as well as attacking endpoints behind firewalls, the malware also comes with a “poison pill” that will destroy infected devices.

In a module dubbed ‘ssler’, VPNFilter performs an active man-in-the-middle attack on incoming web traffic and can inject malicious payloads into traffic passing through the router and modify content delivered by websites. This can then be used to steal sensitive data passed between connected endpoints and the wider internet.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos said in a research note on the malware’s additional capabilities.

Talos also discovered a module called ‘dstr’, which removes traces of the malware from the device and renders the router unusable.

“These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” Talos said.

“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com