Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies

Cunning malware VPNFilter remains under active development, and is acquiring ever more dangerous features.

That's the conclusion Cisco's Talos Intelligence security team reached after delving into recent samples and identifying seven “third-stage VPNFilter modules that add significant functionality to the malware”.

VPNFilter rose to prominence in May, when Talos found half a million pwned home routers and NAS boxes in 54 countries. The FBI attributed the attacks to Russia's Sofacy group (“Fancy Bear”), seized a command-and-control domain, and asked people to reboot their routers.

While maintaining that VPNFilter has mostly been neutralised, Talos' Edmund Brumaghin wrote that “it can still be difficult to detect in the wild if any devices remain unpatched”.

The infosec company has stayed on the case, and this Wednesday released a blog post saying the new functions it has discovered include an “expanded ability” to attack endpoints from compromised network devices, data filtering, “multiple encrypted tunnelling capabilities” to conceal C&C and data exfiltration traffic, and a tool to build a network of proxies to conceal the true source of VPNFilter traffic.

The specific modules are called:

  • htpx – HTTP traffic redirection and traffic inspection;
  • ndbr – a multi-functional SSH utility;
  • nm – network mapping from compromised devices;
  • netfilter – a denial-of-service utility;
  • portforwarding – forwards network traffic to attacker-specified infrastructure;
  • socks5proxy – Sets up a SOCKS5 proxy on the compromised device; and
  • tcpvpn – Sets up a reverse-TCP VPN on the compromised device.

The other important discovery Talos highlighted in the post was the attackers' use of a MikroTik administration utility called Winbox, a small Windows 32 utility that mirrors the functions offered on the Web-based admin interface.

It turned out older versions of Winbox presented an attack vector through TCP Port 8291, and because Winbox data is passed as “large blobs of binary data,” exploits aren't easily identifiable in network traffic. By way of example, Brumaghin cited early September's directory traversal bug, CVE-2018-14847.

Talos has released a Winbox traffic dissector as a Wireshark plugin at GitHub. ®




Biting the hand that feeds IT © 1998–2018