Analysis by: Noel Anthony Llimos

ALIASES:

Linux.VPNFilter (Norton), Trojan.Linux.VPNFilter.D (Bitdefender)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This Trojan may be downloaded by other malware/grayware from remote sites.

  TECHNICAL DETAILS

File Size: 1,384,168 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 07 Jun 2018
Payload: Compromises system security, Steals information

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

Other Details

This Trojan does the following:

  • To ensure that the modified rules on the infected device's iptable will not be removed, this module deletes and restores them approximately every four minutes.
  • This module's behavior will depend on the following parameters upon execution:
    • dump: ← used to store all of the intercepted HTTP headers to (reps_*.bin ← created at ELF_VPNFILT.B)
    • dst: ← used to create a specific destination IP address range that the rule for iptables should apply to
    • src: ← used to create a specific source IP address range that the rule for iptables should apply to
    • site: ← When a URL is provided in this parameter, this URL will have its web pages targeted for JavaScript injection
    • hook: ← this parameter specifies the location or URL for the JavaScript file to be injected
  • It is capable of JavaScript Injection based on the data in the parameter "site:"
  • It converts HTTPS requests with HTTP to lower the security and extract data such as credentials and login information.
  • It intercepts the data on the following strings in the authorization header to extract login credentials:
    • ail=
    • sername=
    • ame=
    • ser=
    • ogin=
    • hone=
    • session[password
    • session%5Bpassword
    • session%5Busername
  • It intercepts data and network traffic that is destined to port 80 and configures the network address (iptables) of the infected device to be redirected to port 8888 by executing the following Linux Shell Commands:
    • iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
    • iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 14.310.04
FIRST VSAPI PATTERN DATE: 07 Jun 2018
VSAPI OPR PATTERN File: 14.311.00
VSAPI OPR PATTERN Date: 08 Jun 2018

Scan your computer with your Trend Micro product to delete files detected as ELF_VPNFILT.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.