VPFilter : the wake of EXIF GPS data

May 30, 2018

“Russian hackers” have been much in the news of late, mostly for their alleged political leanings – but a new attack vector attributed to Russian hackers is wreaking havoc in businesses and on private networks around the world. Some 500,000 routers are said to be infected with VPNFilter, a malicious malware that has the capability of stealing data from across a network, enslaving a router to process Dark Web traffic and/or to do who knows what else, or – presumably when the hackers have decided that the router has outlived its usefulness for them – to brick the device, rendering the entire network useless.

The malware was discovered by Cisco’s Talos team, which has been following it for several months, but decided to publicize its existence in the wake of what appeared to be several massive “doses” of VPNFilter in May, especially in Ukraine. While the Russian hackers may have indeed been targeting that country, given the bad blood between them, the malware has apparently leaked out to the West, and is now found on routers in 54 countries – leading Cisco to issue its blog post, and the FBI to shut down at least one domain that was associated with the attack.

Basically, VPNFilter operates in a manner similar to many other malware infections – seeking a hook onto a device, and then contacting the command and control server to install the actual malware. That second-stage C2 download can perform a variety of tasks, including “intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” according to the Justice Department.

Note that the malware affects mostly older models of routers by Linksys, Microtik, Netgear, QNAP and TP-Link that have not been updated with security patches and in many cases still utilize the default admin/pass of the device (you’d be surprised how much of that is still going on!). What’s unique about VPNFilter is that its first-stage payload – the “hook” it uses to download the more advanced malware – can survive a reboot (the second stage malware apparently cannot). In addition, at least one of the methods used by the malware to contact a C2 second-stage malware server – toknowall[.]com – is no longer available – as the FBI has taken over and shut down the domain.

For us, what’s interesting is how the malware contacts the second-stage server: In order to obtain the IP address of a C2 server, VPNFilter parses EXIF data of public photos. Here’s how it works:

  1. The stage 1 payload contacts image sharing site Photobucket.com and downloads the first image from the gallery it was pointed to.
  2. It parses the image’s EXIF data, specifically for GPS latitude and longitude, thus determining the C2 IP address.
  3. If it cannot contact Photobucket, it tries the same process at toknowall[.]com (as mentioned, this function no longer works, as the domain has been sandbagged by the FBI).
  4. If this fails as well, the Stage 1 payload begins listening and waits for a specific trigger packet which opens a connection between the operator and the Stage 1 payload. If all goes well, it will be able to derive the C2 IP address from this connection and continue execution.

Once it discovers the C2 IP address, the Stage 1 payload will contact it and download the Stage 2 payload, which has all sorts of capabilities – , from examining and uploading IP packets that pass through the router, to bricking the router when it is no longer needed, according to Talos. There is even the possibility, Talos said, of a third stage download, that enables the router to  communicate over Tor – for what nefarious purpose is as yet unclear. And, according to the group, “we assess with high confidence that there are likely several more that we have not yet discovered.” And, according to Talos, “all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.” In other words, without a specific footprint or mode of activity, anti-virus systems wouldn’t even realize something untoward was going on.

The actors behind this attack have gone to great lengths to conceal their activities, utilizing some truly original and out-of-the-box thinking.  By utilizing EXIF data, they were able to provide the Stage 1 payload with the required information in a non-suspicious, not-detectable way. EXIF data, embedded deep inside an image, is not on the radar of even the most sophisticated anti-virus systems.

But it is on our radar. While researchers are still learning the details of how VPNFilter manages to install itself on routers (note that until that happens, no security solution can be implemented; the best that potential victims can do is reboot the affected router, as the latter-stage malware cannot survive a reboot), that same EXIF trick could be utilized in a wide variety of malware attacks on computers or servers.

But users of Votiro’s Disarmer system don’t have to worry about that. Traditional security solutions are designed to block specific threats – and the limitations of that approach become very clear when an innovative attack vector comes on the scene. Disarmer is unique because it does not need to detect and analyze incoming samples. By utilizing file format specifications, we can rebuild any file while excluding malicious / suspicious parts. Votiro’s Disarmer would break the file down, remove the offending code, reconstruct the file, and send it on. If a hacker tried to use EXIF – or any other data – to contact a malicious server, Disarmer would nip that effort in the bud, preventing the code that contacts the server from entering a system in the first place. Disarmer is capable of removing that data, or any other data that the user is suspicious of on files, e-mail attachments, or any other incoming file.