VPNFilter malware caught infecting Asus, D-Link, Huawei, ZTE & others

VPNFilter malware is back and it seems like rebooting your routers will not protect them against this growing threat.

VPNFilter malware was discovered by Cisco Talos but it got more attention when the FBI, a couple of weeks ago, seized a domain hosting botnet of 500,000 hacked IoT devices including network-access storage (NAS) devices and home and office (SOHO) routers in at least 54 countries.

The seized domain created the botnet with the help of VPNFilter malware which the FBI believes is linked to highly sophisticated and well funded Russian hackers. Later on, the Bureau shared a list of compromised router models and urged users around the world to reboot their routers to get rid of VPNFilter malware.

However, now, it has come to attention that VPNFilter malware infection is far more dangerous than previously thought. According to the latest findings by Cisco Talos, the list of devices targeted by VPNFilter is increasing which is not a good news. 

The latest research reveals that the malware now is targeting routers developed by manufacturers like ASUS, D-Link, Huawei, UPVEL, Ubiquiti, and ZTE. The researchers have also identified additional capabilities in VPNFilter including the ability to deliver exploits to endpoints and override reboots.

See: Authorities dismantle Andromeda Botnet that infected millions of devices

Furthermore, Talos researchers have also found “ssler,” a three-stage module exploiting web traffic to inject malicious content as it passes through a network device. This allows attackers to deliver exploits to endpoints via a man-in-the-middle capability – All this is done without the victim’s knowledge.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” said the blog post.

This also indicates that rebooting routers is practically useless and does not protect targeted routers from VPNFilter malware. Additionally, researchers have identified that the malware is also equipped with “dstr” (device destruction module) which is “used to render an infected device inoperable by deleting files necessary for normal operation,” wrote researchers.

“It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis.”

List of newly identified routers models targeted by VPNFilter malware

Asus: RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U.
D-Link: DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N.
Huawei: HG8245.
Linksys: E1200, E2500, E3000 E3200, E4200, RV082, and WRVS4400N.
Mikrotik: CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, and STX5.
Netgear: DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50.
QNAP: TS251, TS439 Pro, and other QNAP NAS devices running QTS software.
P-Link: R600VPN, TL-WR741ND, and TL-WR841N.
Ubiquiti: NSM2 and PBE M5.
ZTE: ZXHN H108N.

“These new discoveries have shown us that the threat from VPNFilter malware continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” concluded researchers.

“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability, and destructive malware.” 

See: New IoT Botnet DoubleDoor Bypass Firewall to Drop Backdoor

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.