The Return of VPNFilter Malware

Delaware, USA – June 5, 2018 – APT28 (aka Fancy Bear group) continues distribution of VPNFilter malware. Cybercriminals created a new botnet to compromise Mikrotik routers via the open port 2000. Researchers from Jask discovered a number of IP addresses scanning networks in Ukraine for vulnerable devices. Despite the fact that the FBI took control of the primary command and control server for this operation, it is unlikely that a colossal botnet from more than 500,000 infected devices disappeared without a trace. The initial VPNFilter malware establishes persistence on the routers even after their reboot, and capabilities of third stage payloads are far from explored. One of the analyzed modules enables communications via the Tor network, and in the case of disabling of the C&C server, adversaries can send a specially crafted packet to the infected router providing the IP address to obtain a second stage payload.

At the moment it is not known what changes the attackers made to VPNFilter malware, where the C&C server is now located and how many of the half a million devices remained infected and controlled by APT28. Primary targets of their future attack are believed located in Ukraine, however, as in the case of NotPetya, many organizations around the world can suffer. VPNFilter is one of the most sophisticated IoT malware that capable not only to intercept traffic but also to rewrite the firmware of the device. If you use a vulnerable router, you need to reboot it and reset it to factory settings. Sigma rules in Threat Detection Marketplace were updated to detect the activity of new botnet.
VPNFilter Destructive Malware detection (IP): https://tdm.socprime.com/sigma/generate/VAJmkWMBqfpvXJhTFQwo/
VPNFilter Destructive Malware detection (domain/IP): https://tdm.socprime.com/sigma/generate/PgLhkGMBqfpvXJhTegzn/