Self-deleting malware targets home routers to gather information

Attackers could be using VICEPASS for reconnaissance, or for future cross-site request forgery attacks.
Attackers could be using VICEPASS for reconnaissance, or for future cross-site request forgery attacks.

Researchers with Trend Micro have analyzed malware that first connects to home routers and scans for connected devices, and then sends the information it gathers to a command-and-control (C&C) server before deleting itself without a trace.

The malware was detected by Trend Micro as TROJ_VICEPASS.A, or VICEPASS, and it has been observed infecting users that navigate to malicious websites hosting a purported Adobe Flash update, according to a Monday post by Kenney Lu, of Trend Micro.

Once downloaded and executed, the malware uses a predefined list of usernames and passwords to attempt to connect to the home router, Lu wrote. Some of the usernames include admin, D-Link, guest, root and user, and some of the passwords include 12345678, admin, password and qwerty.

“This malware appears to be used primarily for intelligence gathering,” Lu told in a Tuesday email correspondence. “Specifically, it enumerates as many connected devices as possible, attempts to connect to them and returns a list of results to the command-and-control server.”

When connected to the home router, the malware scans for devices using various strings in its search, including dlink, d-link, laserjet, apache, cisco, gigaset, asus, apple, iphone, ipad, logitech, samsung, and xbox, Lu wrote in the post.

Lu said that the malware “will affect every device in the target network. If it finds any of these vendors' devices, the devices will be given a specific vendor name, [and] other devices will be marked as 'unknown'.”

The search results are encrypted using Base64 and a self-made encryption method, and are sent to the C&C using HTTP protocol, Lu wrote in the post, explaining that the malware will then delete itself and remove any trace of its existence.

In the post, Lu suggested that attackers could be using VICEPASS for reconnaissance for bigger campaigns. He wrote that the information gleaned from the malware could also be stored and used for future cross-site request forgery (CSRF) attacks.

To protect against these types of threats, Lu suggested using strong passwords, not clicking on links in emails, and updating software from official websites.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters