New 'Rombertik' malware destroys master boot record if analysis function detected
New 'Rombertik' malware destroys master boot record if analysis function detected

The VPNFilter malware that was discovered infecting hundreds of thousands of routers and Network Attached Storage devices since at least 2016 is apparently an even more serious threat than originally reported.

A new blog post today from Cisco Systems'  Talos threat intelligence unit reports that researchers have identified even more device makes and models as targets, and have uncovered additional third-stage modules, one of which is capable of compromising not just the networking devices, but also the endpoints connected to them.

The reports adds equipment from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE to VPNFilter's roster of targets, plus more devices from previously named targets Linksys, MikroTik, Netgear, and TP-Link.

Talos identified the two newly uncovered stage-three modules as ssler (pronounced "esler") and dstr.

The ssler module is capable of exfiltrating data, as well as injecting malicious JavaScript into web traffic intercepted from network devices. The latter function creates a man-in-the-middle (MITM) scenario that allows attackers to potentially deliver exploits to endpoints connected to the network.

"This does not mean it will be successful at the exploitation attempt," said Mounir Hahad, head of Juniper Threat Labs, in emailed comments, but it does mean "the exploit is attempted without a user having to visit a compromised site, click on a malicious link or open a malicious email attachment."

Specifically, the malware hijacks traffic destined for port 80 and redirects it to its own listening service on port 8888, by executing several malicious commands within the kernel -- a technique it performs every four minutes to establish persistence. The content of this traffic can then be stolen or modified before it is sent to the legitimate HTTP service.

Moreover, any requests to move traffic through the more secure HTTPS protocol is "sslstripped," meaning the module changes HTTPS requests to less secure, unencrypted HTTP requests, thus allowing the attackers to view the transmitted content in plain text and harvest any credentials or other sensitive data.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," Talos warns. "If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware," the blog post later concludes.

The malware performs its MITM attack based on certain variables or parameters, including Source IP (the endpoint IP making the http request), Destination IP, and Visited Sites. A separate blog post issued by Juniper Networks today notes that the including of Source IP "means the threat actor has potentially profiled endpoints behind the firewall and knows which endpoint to target with the exploits," while the use of Visited Sites and Destination IP and Visited sites lets the adversary target domain names of interest, or spy on communications with banks and cloud email platforms and other service providers.

A spokesperson for Symantec, which updated its VPNFilter Q&A page based on Talos' latest report, told SC Media via email that "by default, the malware searches for certain strings, such as passwords," but it can also "send a file to look for all info related to a specific banking website, copy all unencrypted traffic, and send to a host server to be used at a later point."

The other recently exposed stage-three module, dstr, adds a "kill" function, capable of bricking devices, to any stage-two VPNFilter module that didn't already come with this power. (Only some versions of the stage-two module, which typically performs file collection, command execution, data exfiltration and device management, can render devices unusable, by overwriting a portion of the firmware and forcing a reboot.)

Talos said that dstr bricks devices by "deleting files necessary for normal operation," while also "deleting all files and folders related to its own operation... possibly in an attempt to hide its presence during a forensic analysis."

Previously known stage-three modules included a packet sniffer, named "ps," and a communications plugin that lets the malware to communicate via Tor.

“It is obvious that the scope of this campaign is far bigger than initially thought," said Hahad. "The ability to infect endpoints introduces a new variable, and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers."

"VPNFilter is still in full force, in the wild infecting a broader set of devices than known previously, which makes it quite concerning still," said Derek Manky, global security strategist at Fortinet's FortiGuard Labs division. "This is a good example of how even exposed campaigns can continue to move with velocity... This is showing a new level of sophistication when it comes to attacks, stealthier in nature as it uses hooks to piggyback on legitimate traffic streams."

Last month, the Department of Justice announced that the FBI seized a domain associated with the VPNFilter botnet, which the agency said is controlled by the Russian APT group Fancy Bear, aka Sofacy. (The campaign's focus on infecting Ukrainian hosts leads experts to believe Ukraine may be VPN'Filter's primary target.)

The DOJ advised owners of all small/home office routers and NAS devices to reboot their IoT products. Although rebooting will temporarily eliminate any second-stage modules, the persistent first-stage module will call out for instructions and try to reinfect the device. Nevertheless, "these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DOJ explained in a May 23 press release.

'dstr' (device destruction module)

The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis. 

The x86 version of the dstr module was analyzed in-depth. This module first deleted itself from the disk and then stops the execution of the parent Stage 2 process. It will then search all running process for ones named vpnfilter, security, and tor and terminate them. Next, it explicitly deletes the following files and directories:

'ps' (stage 3 packet sniffer)

One of stage 3 packet sniffer module samples we have is the R600VPN MIPS-like (Lexra architecture) sample. This sample is a packet sniffer that is looking for basic authentication as well as monitoring ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger (note: This is the full packet size, with headers. Depending on the size of the TCP header, the PDU could be approximately 56 to 96 bytes and still meet the criteria to get logged). It has the ability to view, but not modify, the network traffic. Very significant changes would be required to implement functionality that could modify traffic.

These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.