If it fails to connect to the URL, it opens a port that waits for a specific trigger to establish a connection for the author to have access interactively to the infected device.
It generates a URL from the configuration file where it will download and save the file using the following names
Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 14.274.04
FIRST VSAPI PATTERN DATE: 24 May 2018
VSAPI OPR PATTERN File: 14.275.00
VSAPI OPR PATTERN Date: 25 May 2018
Scan your computer with your Trend Micro product to delete files detected as ELF_VPNFILT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information: