It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.

Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.

Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.

To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.

VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.

The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.

These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.

VPNFilter 'dstr' — Device Destruction Module

As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.

The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.

This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.

Simply Rebooting Your Router is Not Enough

Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.

Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.

Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.

For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.

And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.