Threat Management, Threat Intelligence, Network Security, Malware, Network Security

Seven additional modules make Fancy Bear’s VPNFilter malware even more versatile


Researchers have discovered seven additional third-stage modules in the VPNFilter malware that has been infecting hundreds of thousands of global networking devices in Ukraine and around the world since at least 2016.

Believed to be the creation of Russian APT group Fancy Bear, VPNFilter remains a credible threat, despite recent efforts taken to expose the campaign and seize one of its domains. Originally known to be capable of DDoS attacks, information wiping/bricking, and cyber espionage, it now appears that VPNFilter's additional third-stage modules allow it to more easily propagate from infected network devices to other endpoints, perform data filtering, and obfuscate or encrypted malicious traffic, particularly through encrypted tunneling.

"We now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted," said a blog post published today by Cisco Systems' Talos threat research unit, which originally discovered and reported the threat last May.

In the post, Talos described the seven modules and their functionalities in the following table:

Talos also announced that it created a dissector tool for the Microsoft Winbox protocol, after noticing that VPNFilter attacks were abusing the utility tool and associated TCP port 8291 to infect MikroTik devices. Cisco said that its tool is publicly available to network operators to help them monitor traffic going through port 8291 for malicious activity.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.