Threat Watch

VPNFilter More Robust Than Previously Known

Researchers have discovered seven more modules for the Russian malware VPNFilter.  Upon its discovery, researchers were immediately aware of two modules built into the malware–one a packet sniffer and one which enabled communication with C&C servers over the Tor network. But as the dissection of the malware has continued, it has led to further discoveries.  The seven additional modules significantly increase the potential damage from the malware.  The seven additional modules are:

htpx – Redirects and inspects unsecured web traffic

nbdr – Multi-functional SSH utility

nm – Conducts network mapping from infected devices

netfilter – Denial of Service tool

portforwarding – Forwards network traffic to attacker-controlled servers

socks5proxy – Enables the establishment of a SOCKS5 proxy

tcpvpn – Enables the establishment of a reverse TPN VPN (Similar to Cobalt Strike’s VPN

Pivoting)

ANALYST NOTES