A Wi-Fi Router. / Photo by: Maxpixel
The Talos Intelligence blog reported that at least half-a-million consumer routers in 54 countries have been infected with the VPNFilter malware. The affected devices are Linksys, MikroTik, NETGEAR and TP-Link networking equipment used by small businesses, home offices, and QNAP network-attached storage devices.
The VPNFilter malware is a sophisticated multi-stage modular malware system that is capable of stealing website credentials and monitoring of Modbus SCADA protocols. It is so lethal that it can totally disable an infected device, which can be done on individual machines or on a large-scale basis. Its destructive power can possibly cut off Internet access to hundreds of thousands of potential victims worldwide.
It has similarities with the BlackEnergy malware which has been blamed for multiple large-scale attacks that targeted devices in Ukraine. It has also been noted that VPN has been infecting network hosts in that eastern European country at a distressing rate by taking control of a dedicated command and control infrastructure.
Moreover, it is difficult to protect the type of devices that the VPNFilter targets because they are on the perimeter of the network and have no intrusion protection system nor an anti-virus package.
The stage 1 of the malware persists even through a reboot, which makes the VPNFilter a one-of-a-kind thing because most other malware that target Internet-of-things devices normally do not survive a reboot of the device. The main purpose of Stage 1 is to gain a foothold and make way for the deployment of the stage 2 malware.
The stage 2 malware does not survive a reboot but is capable of executing tasks that are expected from a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration, and device management.
There are two stage 3 modules that function as plugins for the stage 2 malware. The plugins provide stage 2 with additional functionality. The first module is a packet sniffer for collecting traffic that goes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. The second is a communications module that allows the stage 2 malware to communicate over Tor. So far these are the only existing Stage 3 modules, but the Talos Intelligence team are certain that more modules will be discovered.