A recently discovered form of destructive malware that targets routers is rapidly spreading worldwide in an apparent attempt to create a massive botnet.

First detailed by security researchers at Cisco Talos Wednesday, the VPNFilter malware is believed to have originally been created by Russian state-sponsored actors to target routers in Ukraine but has since spread far further. The number of infected routers is believed to be about 500,000 in 54 countries and growing.

The malware targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office market, as well as QNAP network-attached storage devices. It distinguishes itself through persistence, in that it can maintain a presence on an infected device even after a reboot.

Once a router is infected, VPNFilter deploys in multiple stages. According to Symantec, stage one of the infection establishes a persistent presence and then contacts a command-and-control server to download further modules. Stage two involves installed modules that can deliver a payload, steal data, execute files and even hijack device management. Worse still, the modules also come with the capability of bricking a device if so commanded by the hackers, overwriting a section of the device’s firmware.

Stage three involves the installation of a variety of modules, described as plugins for the stage two modules. Some include “packet sniffing” to allow the theft of website credentials, while another deploys communications support for the Tor network, an ability that can help make communication back to the C&C server more difficult to detect by traditional monitoring tools.

Describing VPNFilter as a “ticking time bomb,” Paul Ducklin, senior technologist at Sophos Group plc, told SiliconANGLE that it’s time for a router health check.

“Home devices like routers are popular targets for cybercrooks these days, yet they’re often neglected from a cybersecurity point of view,” Ducklin explained. “Start with the basics. Check for a firmware update with your router vendor — do it today! And pick proper passwords. The crooks know every default password that ever left the factory, so why make it easy for them?”

Image: Pixabay