Russian VPNFilter: New Modules Create a Larger Threat
The Russian malware threat, Cytek originally reported on earlier this year, is bigger than originally thought. The discovery of seven new modules puts smart device users at a much greater risk.
Who’s Behind the Threat:
The United States Federal Bureau of Investigation has pinned the malware attacks on Russian hacker group, Fancy Bear. Fancy Bear has compromised hundreds of thousands of routers and networks in 54 different countries. The group has previously been linked to malware attacks such as those on the Democratic National Committee, the World Anti-Doping Agency, and the PyeongChang Olympics.
How VPNFilters Work:
VPN malware targets a range of routers and network-attached storage (NAS) devices with known weaknesses. It works by installing itself on a router where it can then execute commands, collect data, and render the device unusable.
Researchers have now discovered that the malware has seven new modules:
- htpx:A module that redirects and inspects unencrypted HTTP traffic.
- ndbr: A multifunctional secure shell utility that allows remote access to the device.
- nm: A network mapping module that performs a port scan and uses Mikrotik Network Discovery Protocol to search for other Mikrotik devices.
- netfilter: A denial-of-service utility that is used to block sets of network addresses.
- Portforwarding: A module that forwards network traffic to the attacker’s specified infrastructure.
- socks5proxy: A module that sets up a SOCKS5 proxy on the compromised device.
- tcpvpn: A module that sets up a Reverse-TCP VPN on the compromised device, allowing the attackers to export data over a virtual private network and giving them remote command and control.
These modules expand the functionality of the VPNFilter, increasing its ability to compromise data and conceal data filtering. The malware is believed to be able to maintain its presence on a device even after a reboot.
How to Protect Yourself:
We recommend that owners of these vulnerable devices reboot their devices to temporarily disrupt the malware. Owners should also use strong passwords and encryption and disable remote management settings. Updating devices to the latest available versions of firmware is also strongly advised.
If the malware has already infected your device, a hard-reset to factory settings will remove the VPNFilter. After a reset, the owner of the device should change all existing login credentials and update system.