This module's behavior will depend on the following parameters upon execution:
dump: ← used to store all of the intercepted HTTP headers to (reps_*.bin ← created at ELF_VPNFILT.B)
dst: ← used to create a specific destination IP address range that the rule for iptables should apply to
src: ← used to create a specific source IP address range that the rule for iptables should apply to
It converts HTTPS requests with HTTP to lower the security and extract data such as credentials and login information.
It intercepts the data on the following strings in the authorization header to extract login credentials:
It intercepts data and network traffic that is destined to port 80 and configures the network address (iptables) of the infected device to be redirected to port 8888 by executing the following Linux Shell Commands:
To ensure that the modified rules on the infected device's iptable will not be removed, this module deletes and restores them approximately every four minutes.
Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 14.310.04
FIRST VSAPI PATTERN DATE: 07 Jun 2018
VSAPI OPR PATTERN File: 14.311.00
VSAPI OPR PATTERN Date: 08 Jun 2018
Scan your computer with your Trend Micro product to delete files detected as ELF_VPNFILT.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information: