A hacker group with suspected ties to the Russian government has infected more than 500,000 routers and other devices with highly sophisticated malware, possibly in preparation for future large-scale attacks.
According to researchers from Cisco Systems’ Talos division, the massive botnet is made up of compromised devices located in more than 54 countries, primarily home and small-office routers from Linksys, MikroTik, Netgear and TP-Link and network-attached storage (NAS) devices from QNAP.
The devices have been infected with a multistage malware framework that has versions for at least the x86 and MIPS processor architectures. While the exact infection methods have not been established, almost all of the infected devices have publicly documented vulnerabilities, so the attackers likely use public exploits and not zero-days.
The code of the malware, which has been dubbed VPNFilter, has similarities to BlackEnergy, a Trojan that was used in the December 2015 cyberattack against the Ukrainian power grid. That attack has been attributed by security companies and intelligence agencies to hackers linked to the Russian government.
Cisco Talos has been working with other industry partners to investigate VPNFilter for the past several months. Even though they don’t yet have all the information, they decided to go public with their preliminary findings because of two recent infection spikes in Ukraine, which might signal an imminent attack against the country.
VPNFilter is one of the most sophisticated malware frameworks for embedded devices found to date. It’s multistaged, highly modular and, unlike most router malware, can survive reboots. It can also brick infected devices if attackers decide to do so, leaving those devices unusable without expert help or specialized equipment.
“The destructive capability particularly concerns us,” the Cisco Talos researchers said in their report. “This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.”
After a device is successfully exploited, attackers will deploy a first-stage binary compiled for Linux-based systems with BusyBox userspace. This payload can modify the values stored in the device’s non-volatile memory (NVRAM) and will add itself to crontab, the Linux job scheduler, to achieve persistence.
The first-stage component then connects to Photobucket.com, an image hosting service, to download an attacker-uploaded photo from a particular gallery. The photo’s EXIF data contains an IP address for a download server encoded as geolocation coordinates.
If the photo cannot be downloaded, the malware has a backup method of obtaining the download server’s IP address. If that method fails as well, it will start listening for a specifically crafted network packet sent by the attackers that contains the server’s IP address.
In conclusion, the malware has built-in redundancy to make sure attackers won’t lose control over the botnet and will be able to update it in multiple ways.
Once it establishes communication with the server, the first-stage payload proceeds to download a more complex second-stage component that connects to a command-and-control (C2) server hosted on the Tor anonymity network to receive instructions. This component can execute shell commands on the infected device, reboot the device, kill it, download files from the server, upload local files to the server, make the device act as a proxy server and more.
Attackers can instruct the malware to download and execute special plug-ins from yet another server that implement additional functionality. The Talos researchers observed two such plug-ins, but they believe there are many more that haven’t been found yet.
One of the plug-ins operated as a local traffic sniffer, extracting credentials and other information from HTTP connections passing through the router. It also looked for and monitored traffic over the Modbus SCADA protocols, which suggests the attackers might be trying to identify networks that are linked to industrial control systems.
“At the time of this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the network served by the device,” the Talos researchers said. “However, we have seen indications that it does exist, and we assess that it is highly likely that such an advanced actor would naturally include that capability in malware that is this modular.”
The VPNFilter malware is very versatile and is difficult to block. It targets devices that are directly exposed to the internet, don’t run security software, are rarely updated and have known vulnerabilities. The malware also uses sophisticated persistence techniques and flexible command-and-control infrastructure that’s difficult for researchers to take down.
The VPNFilter botnet can be used for many purposes. Attackers can use it to steal login credentials from users, identify interesting private networks and attack them from within, hide their tracks during cyberoperations against other targets or launch crippling distributed denial-of-service attacks.
“While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue,” the Cisco Talos researchers said. “We call on the entire security community to join us in aggressively countering this threat.”