Talos experts published technical details for other seven VPNFilter modules

Experts from Talos continues to monitor the evolution of the VPNFilter malware, it is more powerful than previously thought.

In May, security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The malicious code targets dozens of types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

  • Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
  • Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
  • Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
    • A packet sniffer for traffic analysis and potential data exfiltration.
    • The monitoring of MODBUS SCADA protocols.
    • Communication with obfuscated addresses via TOR

VPNFilter malware

Now a new report published by Talos includes technical details for other seven VPNFilter modules that are used by the attackers to map networks and compromise endpoints connected to infect devices, obfuscate and encrypt malicious traffic, exfiltrate data, communicate to the C&C, scan the compromised networks for new potential victims that can be reached from an infected device, and build a distributed network of proxies that may be used in future attacks to hide the source of malicious traffic.

Talos analysis shed the light on many aspects of the malware, except for the way the VPNFilter gains initial access to devices.

It is still unclear is the threat actors behind the botnet is attempting to reconstitute their access, but Talos researchers believe VPNFilter appears to have been completely neutralized.

“Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated.” reads the report published by Talos.

“The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.”

Experts conclude the attackers behind VPNFilter are extremely capable and driven by their mission priorities, for this reason, they will continue to improve their arsenal to achieve their mission objective(s).



Pierluigi Paganini

(Security Affairs – VPNFilter, hacking)


The post Talos experts published technical details for other seven VPNFilter modules appeared first on Security Affairs.

Leave a Reply

Talos experts published technical details for other seven VPNFilter modules

Experts from Talos continues to monitor the evolution of the VPNFilter malware, it is more powerful than previously thought.

In May, security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The malicious code targets dozens of types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

  • Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
  • Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
  • Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
    • A packet sniffer for traffic analysis and potential data exfiltration.
    • The monitoring of MODBUS SCADA protocols.
    • Communication with obfuscated addresses via TOR

VPNFilter malware

Now a new report published by Talos includes technical details for other seven VPNFilter modules that are used by the attackers to map networks and compromise endpoints connected to infect devices, obfuscate and encrypt malicious traffic, exfiltrate data, communicate to the C&C, scan the compromised networks for new potential victims that can be reached from an infected device, and build a distributed network of proxies that may be used in future attacks to hide the source of malicious traffic.

Talos analysis shed the light on many aspects of the malware, except for the way the VPNFilter gains initial access to devices.

It is still unclear is the threat actors behind the botnet is attempting to reconstitute their access, but Talos researchers believe VPNFilter appears to have been completely neutralized.

“Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated.” reads the report published by Talos.

“The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.”

Experts conclude the attackers behind VPNFilter are extremely capable and driven by their mission priorities, for this reason, they will continue to improve their arsenal to achieve their mission objective(s).



Pierluigi Paganini

(Security Affairs – VPNFilter, hacking)


The post Talos experts published technical details for other seven VPNFilter modules appeared first on Security Affairs.

Leave a Reply