VPNFilter botnet appears to make comeback, renews focus on Ukrainian network routers

The notorious VPNFilter botnet that infected over 500,000 home and business routers around the world seems to make a come back, according to security researchers from Jask and GreyNoise Intelligence. Although Cisco Talos, the researchers who first spotted the botnet’s activities, and the FBI have attempted to mitigate the immediate threat, experts say the number of infected devices in Ukraine seems to be growing.

In May, Cisco Talos said the VPNFilter malware has been targeting Netgear, TP-Link, Mikrotik, Linksys, and QNAP devices in a new cyber-espionage campaign attributed to the Russia-linked APT group Sofacy. The threat group, also known as Fancy Bear and APT28, has known to target government, military and security agencies and has been previously tied to the hack of the Democratic National Committee (DNC) during the 2016 US presidential election.

The same threat actor has been tied to the NotPetya ransomware outbreak, and the BlackEnergy attacks on Ukraine's power grid in 2015 and 2016.

Researchers said the newer iteration of the VPNFilter botnet seems to be scanning for Mikrotik routers on Ukrainian networks with port 2000 exposed online. Since May 8, the botnet has been specifically looking for Ukrainian routers, researchers found.

Cisco Talos researchers noted in their initial public disclosure that the VPNFilter botnet had a dedicated C&C server to manage Ukrainian devices. They also identified similarities between VPNFilter and the BlackEnergy malware used to target Ukrainian critical infrastructure.

At the time of public disclosure by Cisco researchers, Ukrainian officials believed the threat group was planning to leverage the botnet to disrupt the UEFA Champions League final held on May 26.

Shortly after Cisco Talos’ disclosure, the FBI said it took over the domain name used to manage the botnet’s C2 infrastructure. Still, the attackers behind the botnet seem to be unperturbed by these efforts.

“Activity like this raises some interesting questions about indications of ongoing Ukraine-targeted campaigns, a likely subject for future research,” Jask researchers noted in a blog post. “VPNFilter is a disturbing example of the increasingly aggressive cyber activity, which is a core component of today’s complex international political climate. If they haven’t already, the public needs to recognize that there are ongoing cyber and information warfare campaigns happening right in their own backyards.

On the flip side, security professionals need to pick their heads up out of the bits in order to see the myriad of other potential connections outside of their normal perspectives.”

Since the Ukrainian conflict involved pro-Russian and anti-government groups began in 2014, Ukraine has been hit with multiple cyber attacks over the years including BlackEnergy, NotPetya, Bad Rabbit, and PSCrypt.

What is VPNFilter capable of?

VPNFilter is an advanced piece of IoT malware that comprises of three stages. The first-stage payload looks to establish boot boot persistence on devices and survive reboot operations.

The second stage acts as a remote access trojan (RAT), while the third-stage payloads include plugins to enhance functionalities of the RAT..

The malware itself is capable of collecting data, inspecting local traffic, hijacking network data and even communicating using Tor and even wiping local firmware to destroy a single targeted device or all infected devices at once.

What’s next for the botnet?

The FBI immediately issued a public warning urging people to reboot their routers to thwart efforts of the VPNFilter malware and flush out any connections made. The US Justice Department clarified that the reboot will temporarily eliminate the second-stage malware and cause the first-stage malware to call out for further instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure,” officials said.

Liviu Arsene, a senior analyst at BitDefender, previously told Digital Trends: “Until now, we haven’t seen malware on IoT that could survive the reboot. If this malware survives the reboot, it’s a pretty big deal.”