The VPNFILFER Trojan has been updated by the developers behind it with new modules that make it an even more dangerous threat. The detailed security analysis shows that in the hands of experienced hackers it can cause significant damage to whole networks.
VPNFILTER Trojan Updated Once Again, Now Has an Even More Deadly Arsenal of Modules
The VPNFilter Trojan is one of the most sophisticated threats observed by security analysts of late. Its first targeted attacks were able to take down thousands of network devices around the globe. The security team that made the report states that the updated version adds additional third-stage modules which heavily enhances its functionality.
A functional addition is the ability to leverage networks and exploit endpoint devices that are placed on the same network as VPNFILTER-infected hosts. The hackers can obfuscate and encrypt the network traffic coming in from them back to the infected clients. Several user identification tools can be used following the infections, this will help the operators to carry out identity theft and other crimes. Another significant new addition is the ability to create to large network of proxies that can be used in coordinated attacks. As a result of this the network analysis can be misleading for some administrators.
The first addition to the VPNFILTER Trojan is the endpoint exploitation module. It is based on open-source code and its primary function is to forward all web server traffic to another port. This module is also programmed to inspect the HTTP requests and identify potential Windows executables. It is presumed that this uses a built-in list of target apps. If any of them are encountered the module will download and patch them on the fly to bypass potential blocks.
To leverage a deeper infection and allow the operators greater freedom a new multi-functional SSH tool is implemented. It can scan the ports of various IP addresses in order to asses whether or not the Trojan can infect them through a vulnerable service. This will also set up a remote control server, it will authenticate with a public key instead of a typical password. The deployed connection can connect to a remote host and issue various commands. When programmed properly it can can launch a denial-of-service (DoS) utility using simple arguments.
The wide area network attacks can be coordinated better by enabling the network mapper. It will scan or all open ports on the network and attempt to automatically connect to open services. The analysis reveals that the following ports are probed:
9, 21, 22, 23, 25, 37, 42, 43, 53, 69, 70, 79, 80, 88, 103, 110, 115, 118, 123, 137, 138, 139, 143, 150, 156, 161, 190, 197, 389, 443, 445, 515, 546, 547, 569, 3306, 8080 and 8291.
It’s built-in functionality can locate MikroTik devices using the MikroTik Network Discovery Protocol (MNDP). If the devices are online and respond they will return the following data:MAC address, system identity, version number, platform type, uptime in seconds, RouterOS software ID, RouterBoard model, and interface name from the discovered device.
Port forwarding is a mechanism that is abused by many Trojans of late. When configured properly it will allow the network traffic to be directed against a target infrastructure. For a more lethal attack it can be combined with a SOCKS5 proxy. The infected hosts will be configured to establish a proxy on them. This can be used to manipulate shapers, routers and other network devices.
Finally a Reverse-TCP VPN server can be enabled on the infected hosts. Complex network configurations and firewalls can be bypassed using this method as corporate networks typically rely on such measures as part of their security policy.
The network analysis shows that after the last few large-scale attacks the VPNFILTER Trojan has been shown to undergo several major updates. It is possible that the criminals are planning another major cyber attack and this is the reason for the significant updates.