What is VPNFilter? How It Operates & Ways to Stop It

May 30, 2020

In 2018, a new attack vector attributed to Russian hackers wreaked havoc  on businesses and on private networks around the world. Some 500,000 routers were are said to be infected with VPNFilter, a malicious malware that has the capability of stealing data from across a network, enslaving a router to process Dark Web traffic. VPNFilter can also strike presumably when the hackers have decided that the router has outlived its usefulness for them. At that point they can brick the device, and render the entire network useless. So, why should you care about VPNFilter? It is still very much at large, and your organization must stay aware of it. Let’s dig into how VPNFilter operates, and the measures you can take to protect yourself.

How Was VPNFilter Discovered?

The malware was discovered by Cisco’s Talos team, which had been following it for several months, but decided to publicize its existence in the wake of what appeared to be several massive “doses” of VPNFilter in May 2018, especially in Ukraine. While the Russian hackers may have indeed been targeting that country, given the bad blood between them, the malware has apparently leaked out to the West, and is now found on routers in 54 countries – leading Cisco to issue its cautionary report, and the FBI to shut down at least one domain that was associated with the attack.

How Does VPNFilter Operate?

VPNFilter operates in a manner similar to many other malware infections – seeking a hook onto a device, and then contacting the command and control server to install the actual malware. That second-stage C2 download can perform a variety of tasks, including “intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” according to the Justice Department.

Note that the malware affects mostly older models of routers by Linksys, Microtik, Netgear, QNAP, and TP-Link that have not been updated with security patches. And in many cases, in models that still utilize the default admin/pass of the device. What’s unique about VPNFilter is that its first-stage payload – the “hook” it uses to download the more advanced malware – can survive a reboot (the second stage malware apparently cannot). In addition, at least one of the methods used by the malware to contact a C2 second-stage malware server – toknowall[.]com – is no longer available – as the FBI has taken over and shut down the domain.

Why It’s Important to Keep VPNFilter On Your Radar

What’s interesting is how the malware contacts the second-stage server: In order to obtain the IP address of a C2 server, VPNFilter parses EXIF data of public photos. Here’s how it works:

  1. The stage 1 payload contacts image sharing site Photobucket.com and downloads the first image from the gallery it was pointed to.
  2. It The VPNFilter then parses the image’s EXIF data, specifically for GPS latitude and longitude, thus determining the C2 IP address.
  3. If it cannot contact Photobucket, it tries the same process at toknowall[.]com (as mentioned, this function no longer works, as the domain has been sandbagged by the FBI).
  4. If this fails as well, the Stage 1 payload begins listening and waits for a specific trigger packet which opens a connection between the operator and the Stage 1 payload. If all goes well, it will be able to derive the C2 IP address from this connection and continue execution.

Once the VPNFilter discovers the C2 IP address, the Stage 1 payload will contact it and download the Stage 2 payload, which has all sorts of capabilities. These capabilities include everything from examining and uploading IP packets that pass through the router, to bricking the router when it is no longer needed, according to Talos. There is even the possibility, Talos said, of a third stage download, that enables the router to  communicate over Tor – for what nefarious purpose is as yet unclear. Additionally, Talos determined that VPNFilter required no zero-day exploitation techniques. In other words, without a specific footprint or mode of activity, anti-virus systems wouldn’t even realize something untoward was going on.

The cyber criminals behind this attack have gone to great lengths to conceal their activities, utilizing some truly original and out-of-the-box thinking. By utilizing EXIF data, they were able to provide the Stage 1 payload with the required information in a non-suspicious, not-detectable way. EXIF data, embedded deep inside an image, is not on the radar of even the most sophisticated anti-virus systems. And that is why your organization needs a strong solution in place to tackle threats like VPNFilter head-on.

Protecting Your Organization From VPNFilter with Votiro

There is still plenty to learn about malware such as VPNFilter. So many threats these days can easily evade anti-virus solutions, and make their way into a network with little to no warning. However, users of Votiro Cloud don’t have to worry about that. Traditional security solutions are designed to block specific threats – and the limitations of that approach become very clear when an innovative attack vector comes on the scene. 

Our SFG is unique because it does not need to detect and analyze incoming samples. By utilizing file format specifications, we can rebuild any file while excluding the malicious and/ suspicious parts. Votiro’s Disarmer Positive Selection technology powers the gateway to would break the file down, remove the offending code, reconstruct the file, and send it on. If a hacker tries to use EXIF – or any other data – to contact a malicious server, our SFG would nip that effort in the bud, preventing the code that contacts the server from entering a system in the first place. This gateway is capable of removing that data, or any other data that the user is suspicious of on files, e-mail attachments, or any other incoming file. And when it comes to VPNFilter, it is best to take no chances. 

Ready to see Votiro Cloud in action? Schedule a demo with us! Or, feel free to contact us today.