Researchers at Cisco's Talos have discovered that VPNfilter—the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers—carried an even bigger punch than had previously been discovered. While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit the networks routers were attached to, thus stealing data and creating a covert network for command and control over future attacks. The malware appeared to be primarily intended to attack Ukraine on the anniversary of the NotPetya attack, but VPNfilter was clearly built for long-term use as a network exploitation and attack platform.

The initial discovery of the malware may have prevented the attackers from meeting their primary objective, but there are still thousands of routers worldwide that are affected by VPNfilter—including vulnerable Mikrotik routers that were heavily targeted by the attackers. This latest research points once again to the danger posed by the ever-increasing number of vulnerable and often unpatchable Internet and wireless routers and other "Internet of Things" devices.

VPNfilter, attributed, based on code elements, to APT 28 (also known as "Fancy Bear"), had been detected on a half million routers in 54 countries . The malware affects devices from Linksys, Mikrotik, Netgear, and TP-Link and network-attached storage devices from QNAP, according to Cisco Talos researchers. Craig Williams, director of outreach at Talos, told Ars that the malware targeted known vulnerabilities in unpatched products—and it seemed to focus heavily on a remote configuration protocol for Mikrotik devices

Because of the focus on Mikrotik, Talos is also publishing a tool called the Winbox Protocol Dissector, which can be used to look for malicious activity on Mikrotik routers based on Mikrotik's Winbox protocol. VPNfilter exploited Winbox, which was used for a Windows-based management client for Mikrotik devices. The same protocol was targeted by cryptocurrency-mining malware and Slingshot, another alleged state-sponsored malware attack first reported by Kaspersky.

Seven more kinds of pain

The first stage of VPNfilter was designed to survive reboots, which is highly unusual for router-targeting malware—which usually relies on code stored in volatile memory. The second-stage code was delivered by the first stage pulling down a digital image from Photobucket or, alternatively, from the domain Toknowall.com (a domain seized by the FBI) to obtain an Internet address from six integer values used for GPS latitude and longitude in the image's EXIF data. If those two methods failed, the malware went into "listen" mode, allowing the attackers to remotely connect and configure it with the second stage.

That second stage, which was not persistent, was essentially a platform for loading various additional modules onto the compromised routers. It also carried a self-destruct "kill switch" that could be used to overwrite portions of the router's firmware and reboot it, which rendered the router useless in the process. Turning off routers flushed the second stage of the attack, but it still leaves the first stage behind—and open to return direct connections from the attackers.

Two add-on modules had previously been discovered by researchers. One was a packet sniffer that intercepts Internet traffic passing through the device, including website credentials and Modbus SCADA protocols. A second enables covert communications over the Tor anonymizing network. The seven new modules uncovered add significantly to the potential attacks that could be staged on compromised routers, many of them based on existing open source tools. The modules include:

‘htpx’ - a module that redirects and inspects the contents of unencrypted Web traffic passing through compromised devices.

‘ndbr’ - a multifunctional secure shell (SSH) utility that allows remote access to the device. It can act as an SSH client or server and transfer files using the SCP protocol. A "dropbear" command turns the device into an SSH server. The module can also run the nmap network port scanning utility.

‘nm’ - a network mapping module used to perform reconnaissance from the compromised devices. It performs a port scan and then uses the Mikrotik Network Discovery Protocol to search for other Mikrotik devices that could be compromised.

‘netfilter’ - a firewall management utility that can be used to block sets of network addresses.

‘portforwarding’ - a module that allows network traffic from the device to be redirected to a network specified by the attacker.

‘socks5proxy’ - a module that turns the compromised device into a SOCKS5 virtual private network proxy server, allowing the attacker to use it as a front for network activity. It uses no authentication and is hardcoded to listen on TCP port 5380. There were several bugs in the implementation of this module.

‘tcpvpn’ - a module that allows the attacker to create a Reverse-TCP VPN on compromised devices, connecting them back to the attacker over a virtual private network for export of data and remote command and control.

Not over yet

While the FBI has "blackholed" the sources of the IP address data used to configure stage 2 of the VPNfilter malware, compromised routers still remain a threat. Because it's possible for the attackers to re-establish connections to compromised devices that they have address information for, they could conceivably re-install the second stage of the malware remotely on rebooted devices. That's part of the reason why Cisco is releasing tools to monitor use of the exploited Mikrotik protocol—many of the affected devices are Internet provider-owned routers that customers may not even be aware are vulnerable.

The Winbox Protocol Dissector is a plug-in for network analysis tools such as Wireshark. It can be used to detect and analyze Winbox traffic within captured network traffic, parsing packet contents to allow inspection of the traffic. Cisco is posting the plug-in on its GitHub page.