Researchers have discovered seven additional third-stage modules in the VPNFilter malware that has been infecting hundreds of thousands of global networking devices in Ukraine and around the world since at least 2016.
Believed to be the creation of Russian APT group Fancy Bear, VPNFilter remains a credible threat, despite recent efforts taken to expose the campaign and seize one of its domains. Originally known to be capable of DDoS attacks, information wiping/bricking, and cyber espionage, it now appears that VPNFilter’s additional third-stage modules allow it to more easily propagate from infected network devices to other endpoints, perform data filtering, and obfuscate or encrypted malicious traffic, particularly through encrypted tunneling.
“We now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted,” said a blog post published today by Cisco Systems’ Talos threat research unit, which originally discovered and reported the threat last May.
In the post, Talos described the seven modules and their functionalities in the following table:
Talos also announced that it created a dissector tool for the Microsoft Winbox protocol, after noticing that VPNFilter attacks were abusing the utility tool and associated TCP port 8291 to infect MikroTik devices. Cisco said that its tool is publicly available to network operators to help them monitor traffic going through port 8291 for malicious activity.