The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Talos: Some hackers, likely state-sponsored or state-affiliated, are conducting a malicious cyber campaign against Ukraine with the sophisticated modular malware system “VPNFilter”
Some hackers, likely state-sponsored or state-affiliated, are conducting a malicious cyber campaign against Ukraine. It has been discovered by cyber security experts of Talos. For their attack, they use a sophisticated modular malware system dubbed “VPNFilter.” “In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.” the Talos blog reported. “While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don’t yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation”.
The cyber security experts: We estimate the number of infected devices to be at least 500,000 in at least 54 countries
Both the scale and the capability of this operation are concerning for Talos cyber security experts. Working with our partners, the company estimates the number of infected devices to be at least 500,000 in at least 54 countries. “The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.” the blog continues. “No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.” So the malicious hacker can spread their cyber warfare fastly.
The cyber warfare campaign and the modular malware are highly destructive
The Talos conclusion on the cyber warfare operation and its TTPs is that “VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks. The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes”.
The company: We call on the entire security community to join us in aggressively countering this threat
“While the threat to IoT devices is nothing new – the post concludes -, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue. We call on the entire security community to join us in aggressively countering this threat”.
Poto Credits: Talos