VPNFilter malware targets ASUS and DLINK routers now also and injects code into WWW

Published by


A week or two ago we reported about VPNFilter malware. A command and control server was recently caught by the FBI, however now it malware appears to target new router types and does so with new features, injecting malicious code into network traffic.

Two weeks ago we reported that devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. While most manufacturers have issued a solve. New to the list are Asus, D-Link, Huawei and ZTE. While the control server was captured, it is still possible to communicate with infected machines possibly hundreds of thousands.

Here is Talos on the topic, have a read here for the comprehensive report:

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

We obviously recommend you to install the latest firmware on your Router and internet connected NAS units. Here is a table displaying all currently known devices susceptible to infection, in bold the new additions.

Linksys Mikrotik Netgear Qnap TP-Link Asus D-Link Huawei Ubiquity ZTE
E1200 CCR1016 DGN2200 TS251 R600VPN RT-AC66U DES-1210-08P HG8245 NSM2 ZXHN H108N
E2500 CCR1036 R6400 TS439 Pro TL-WR741ND RT-N10 DIR-300   PBE M5  
WRVS4400N CCR1072 R7000   TL-WR841N RT-N10E DIR-300A      
E3000 CCR1009 R8000     RT-N10U DSR-250N      
E3200 CRS109 WNR1000     RT-N56U DSR-500N      
E4200 CRS112 WNR2000     RT-N66U DSR-1000      
RV082 CRS125 DG834       DSR-1000N      
  RB411 DGN1000              
  RB450 DGN3500              
  RB750 FVS318N              
  RB911 MBRN3000              
  RB921 WNR2200              
  RB941 WNR4000              
  RB951 WNDR3700              
  RB952 WNDR4000              
  RB960 WNDR4300              
  RB962 WNDR4300-TN              
  RB1100 UTM50              
  RB Groove                
  RB Omnitik                

VPNFilter malware targets ASUS and DLINK routers now also and injects code into WWW

Share this content
Twitter Facebook Reddit WhatsApp Email Print