VPNFilter
VPNFilter is malware that intercepts your network traffic, modifies settings on your router mischievously, and receives remote commands for launching additional attacks (similarly to the payloads of any backdoor Trojan). This threat's campaign is targeting Ukraine and the industrial sector, especially, but not exclusively. Follow the directives in this article for removing VPNFilter immediately and reverting any threatening settings changes to your routers or NAS devices.
The Internet-of-Things Gets a New Stage Hazard in Play
While some IoT infections are resolvable with no more than rebooting the infected device, a new campaign leveraging spyware around the world, but especially for Ukraine, is circumventing that simple solution. The spyware, VPNFilter, appears of being the product of the Sofacy Group: Russian threat actors with experience levels similar to those of the creators behind Stuxnet and Havex. While VPNFilter, like them, includes features specific to SCADA protocols, the depth and anti-security implications of its payload are beyond a scope that's specific to industrial systems significantly.
VPNFilter impacts various brands of routers primarily, including Netgear R8000 and Linksys2500, but also infects some QNAP-brand network-attached storage and devices running Linux-based QTS software. The threat runs in three, separate stages:
- The first stage is the only portion of VPNFilter that maintains persistence across reboots. However, it downloads and installs, or re-installs, the second and third ones, as necessary automatically.
- The stage two of VPNFilter is the primary 'body' of the infection and includes both the backdoor-associated command features and spyware-based attacks for uploading collected data to a threat actor's C&C server. The admin also can instruct VPNFilter to render the device inoperable (or 'brick') it, presumably, to destroy the evidence of infection or sabotage the victim's network
- Lastly, stage three consists of several, specialized modules for VPNFilter, such as a website credentials stealer and the SCADA-monitoring plugin.
At this time, malware experts haven't noted any use of 'zero-day' style exploits with VPNFilter's campaign. For now, any fully-patched hardware should be immune to its initial infection vectors.
Cleaning Out the Filter between You and the Web
Users believing their devices potentially compromised should follow brand-specific instructions on appropriate precautions. Typical recommendations include rebooting the router for reducing VPNFilter to its stage one format before taking further measures and installing any available patches for your firmware. Users also should change any passwords, and related security credentials, from their default settings. In extreme cases, a complete factory reset of the device may be necessary.
As of May 24th, the FBI has seized a domain within VPNFilter's Command & Control infrastructure for disrupting its communications. However, the spyware and backdoor Trojan remains classifiable as a high-level threat with sophisticated data exfiltration and hardware destruction capabilities. Specialized anti-malware products may disinfect a compromised device, when appropriate, or delete VPNFilter before it completes its non-consensual, exploit-based installation.
Anti-Ukrainian threats aren't scarce; malware experts also point out similar campaigns using harmful encryption (such as the GandCrab3 Ransomware) or rootkit-based persistence (as per Uroburos). What makes VPNFilter less than usual isn't its preferable victims but the broad and aggressively persistent scope of its payload, once it enacts it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.