Seven new modules discovered in VPNFilter further fill in the blanks about how the malware operates and reveals a wider breath of capabilities.

Researchers have discovered new modules in VPNFilter – the malware behind the widespread campaign in May that infected 75 router brands – revealing that its capabilities are much more widespread and sophisticated than previously thought.

After reverse-engineering seven additional third-stage modules, Cisco Talos researchers said that it has discovered that the malware packs additional capabilities – including network-mapping functions, a denial-of-service utility and traffic obfuscation techniques. That also includes a method of scoping out and exploiting additional victims accessible on the local network from already-infected devices.

“The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking,” researchers said in a report, published Wednesday. “Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries.”

VPNFilter was discovered by Talos researchers in May in an active campaign that researchers originally thought infected 500,000 home office routers from brands including Linksys, MikroTik, NETGEAR and TP-Link. Later, in June, that campaign was found to be much more widespread and serious – also impacting routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE – and the total number of router models targeted by VPNFilter adversaries was raised to 75.

Since researchers first discovered the malware, they have found it to possess an ever-greater range of destructive capabilities.

The first stage of the malware seen in the first campaign in May gains a persistent foothold on the devices and connects to command-and-control (C2). The second stage of the malware, also spotted in May, touts capabilities like file collection, command execution, data exfiltration and device management.

Then, when the June campaign was uncovered, researchers subsequently found several “stage three” modules in the malware, which serve as plugins for the second stage of VPNFilter. These include a packet sniffer for collecting traffic that passes through the device (such as theft of website credentials and monitoring of Modbus SCADA protocols), and a communications module that allows the stage-two functions to communicate over Tor.

Talos’ most recent discovery of seven new modules add on to these existing third-stage modules.

New Modules

The modules vary in function and are dubbed: ‘htpx,’ ‘ndbr,’ ‘nm,’ ‘netfilter,’ ‘portforwarding,’ ‘socks5proxy,’ and ‘tcpvpn.’

The ‘nm’ module adds a significant capability to the malware’s arsenal: It is used to scan and map other devices on the local network of the infected device. Once downloaded, the module sets an ICMP echo request to the infected host, which will then try to map out the network via a port scan.

For instance, it has been seen utilizing a MikroTik Network Discovery Protocol (MNDP) to pinpoint any other MikroTik devices on the local network – and if a MikroTik device replies to the ping, the module will then extract its MAC address, system identity, version number, platform type, uptime in seconds, RouterOS software ID, RouterBoard model and interface name.

‘Htpx’ meanwhile is an endpoint exploitation module that enables executable injection. The module essentially inspects HTTP communications and identifies the presence of Windows executables – once these are detected, the module then flags them.

“We assess with moderate confidence that this module could be leveraged by attackers to download a binary payload and allow for on-the-fly patching of Windows executables as they pass through compromised devices,” researchers said.

This version of VPNFilter also touts a denial-of-service module dubbed ‘netfilter,’ which researchers speculate may have been designed to deny access to specific forms of encrypted applications, “possibly in an attempt to herd victim communications to a service that the actor preferred they use,” they said. Researchers came to thar conclusion after noticing that the sample they analyzed contained a list of 168 IP addresses connected to encrypted applications like WhatsApp, Tencent (the owner of QQ Chat) and Amazon (the owner of several encrypted applications like Wikr and Signal). Interestingly, Telegram was absent from that list.

The malware packs several other tricky modules, including ‘ndbr,’ a multi-functional Secure Socket Shell (SSH) tool that can port-scan other IPs; a ‘portfowarding’ tool that forwards network traffic to an attacker-specified infrastructure; ‘tcpvpn,’ which establishes a reverse-TCP VPN on compromised devices; as well as ‘socks5proxy,’ which enables establishment of a SOCKS5 proxy on compromised devices.

Unanswered Questions

As for who is behind the VPNFilter malware, Talos said during the May router attack that it believes state-sponsored or state-affiliated actors are the perpetrators. They also have linked code used by the malware authors to that of the BlackEnergy malware, which has been utilized in previous attacks in the Ukraine.

Significant questions still linger around VPNFilter: including how the actor gained initial access to impacted devices during its May campaign targeting routers, and whether the threat actor behind the malware is attempting to reconstitute their access.

“Whatever the answers may be, we know that the actor behind VPNFilter is extremely capable and driven by their mission priorities to continually maneuver to achieve their goals. In one form or another, they continue to develop and use the tools and frameworks necessary to achieve their mission objective(s),” researchers said.