VPNFilter Malware Infected 5 Lakh Devices which is Worse than First Thought

Almost two weeks ago, executives in public and private sectors warned that hackers who are working for the Russian government infected approx 5 lakh consumer-grade routers in 54 countries with malware, might be used for a variety of disgraceful purposes.

One of the researchers from the team of Cisco’s Talos security said additional studies explains that the malware is much more powerful than initially thought and runs on a very much broader base of models and many are from the previously unaffected manufacturers.

The report shows a sharp increase in the number of devices affected that easily compared with the original. Researchers from the Cisco’s Talos team have also found some additional VPNFilter capabilities which were packaged as the third stage plugin in the deployment system.


Ssler is a plugin which is used for modifying and intercepting the web traffic on port 80 through man in the middle attacks. These type of plugin also supports downgrading HTTPS to HTTP options.


Dstr plugin with overwriting device firmware files. Cisco Talos knew very well that  VPNFilter might wipe device firmware, but in the Cisco recent report pinpointed this function to the specific third-stage plugins.


Psa plugin is that which can sniff network packets and also detect definite types of network traffic. Cisco believes that this plugin was generally used to look for Modbus TCP/IP packets, which is frequently used by SCADA equipment and industrial software, but in the most recent report of Cisco claims, the plugin will also look for the industrial equipment that connects over the TP-Link R600 virtual private networks.


Tor plugin is normally used by the VPN filter bots to communicate with a control server and command through the Tor network.

In the Cisco’s Talos first report illustrates that the technical documentation of the malware has been updated, which including the information about ssler, dstr, ps, tor and third-stage plugins. The botnet was the first thought to be intended at Ukraine’s IT infrastructure; however, some of the experts believed that the cyber attack was meant for the UEFA Champion League Soccer final’s was held at the end of the previous month. The FBI has also taken some steps to kill the botnet by removing the command and the control aspect of the malware.

Leave a Reply