VPNFilter malware which has affected over half million devices and Network Attached Storage devices spanning 54 countries during the past few months has now taken a new turn courtesy of research from Cisco.
The report shows a sharp increase in the number of devices affected compared with the original. Researchers have also found additional VPNFilter capabilities which were packaged as the third stage plugin in the deployment system.
ssler – plugin for intercepting and modifying web traffic on port 80 via man-in-the-middle attacks. Plugin also supports downgrading HTTPS to HTTP.
dstr – plugin to overwriting device firmware files. Cisco knew VPNFilter could wipe device firmware, but in its recent report pinpointed this function to this specific third-stage plugin.
ps – plugin that can sniff network packets and detect certain types of network traffic. Cisco believes this plugin was used to look for Modbus TCP/IP packets, often used by industrial software and SCADA equipment, but in its most recent report claims the plugin will also look for industrial equipment that connects over TP-Link R600 virtual private networks as well.
tor – plugin used by VPNFilter bots to communicate with a command and control server via the Tor network.
The Technical documentation of the malware has been updated since Cisco’s first report, now including information about ssler, dstr, and the ps third-stage plugins. The botnet was first thought to be aimed at Ukraine’s IT infrastructure, however many experts believe that the cyber attack was meant for the UEFA Champion League Soccer final which was held at the end of last month. The FBI have also taken steps to kill the botnet by removing the command and the control element of the malware.
Take your time to comment on this article.
Latest posts by Harikrishna Mekala (see all)
- The MyCloud Auth Vulnerability Fixed by Western Digital with a Hotfix - September 24, 2018
- Virobot Ransomware Logs Keystrokes and Adds PC to Spam Botnet - September 24, 2018
- Freelancers Being Targeted With Malware Disguised as Job Offers - September 23, 2018