On May 25th of 2018, the FBI issued a PSA recommending that “any owner of small office and home office routers” reboot those devices. The reason was because VPNFilter, a sophisticated piece of malware developed by a nation-state, had infected about 500,000 router and NAS devices world-wide. This network of compromised devices created by VPNFilter posed a serious threat to global cyber security, but appeared to be focused primarily on Ukraine.

VPNFilter is an advanced, multi-stage modular malware.

Stage 1 - Once a device is compromised, it reaches out to a domain hosting images with the ip address of the stage-2 command and control (C&C or C2) servers embedded in the EXIF metadata. This stage’s purpose is to gain a persistent foothold on the compromised device.

Stage 2 - After connecting to the C&C servers, stage-2 malware is pushed to the device. Although it does not persist through a reboot, it possesses a number of capabilities such as file collection, command execution, data exfiltration and device management, as well as “self-destruct” capability that renders a device unusable.

Stage 3 - Additional modules act as plugins for the stage-2 malware, providing extra functionality:

1. Additional capabilities that could be leveraged to map networks and exploit endpoint systems that are connected to devices compromised by VPNFilter.

2. Multiple ways for the threat actor to obfuscate and/or encrypt malicious traffic, including communications used for C2 and data exfiltration.

3. Multiple tools that could be utilized to identify additional victims accessible from the actor's foothold on devices compromised by VPNFilter for both lateral movement within a network, as well as to identify new edge devices in other networks of interest to the actor.

4. The capacity to build a distributed network of proxies that could be leveraged in future unrelated attacks to provide a means of obfuscating the true source of attack traffic by making it appear as if the attacks originated from devices previously compromised by VPNFilter.

List of Modules

• packetsniffer - collects all traffic passing through the device

• torify - uses Tor to communicate with Stage 2 Command and Control servers

• ssler - intercepts network traffic and inject malicious code into it without the user's knowledge.

• dstr - Destroys the device when activated

• htpx - Allows for the injection of malicious code into windows executable files during download

• ndbr - Functions as an Secure Shell (SSH) server and network scanner

• netfilter - Denial of Service Module that can block access to sites

• portforwarding - Victims can be redirected to attacker controlled servers

• socks5proxy - Activates a SOCKS5 proxy on compromised devices to obfuscate traffic

• tcpvpn - Establishes a secure Reverse-TCP VPN backdoor on compromised devices


  • https://www.ic3.gov/media/2018/180525.aspx

  • https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html#more

  • https://blog.talosintelligence.com/2018/05/VPNFilter.html

  • https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

  • https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html

Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).

Add To Cart