ELF_VPNFILT.B

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by the following malware/grayware from remote sites:

• ELF_VPNFILT.A

Installation

This Backdoor adds the following folders:

• /var/run/vpnfilterw <- Used by ELF_VPNFILT.C

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Terminate its current process
• Reboot the infected device
• Delays the reboot of the device
• Read local file contents
• Execute commands or another plugin with the following Linux Shell Commands:
  • /bin/sh
  • /bin/ash
  • /bin/bash
  • /bin/shell
• Delete system files, and directories
• Set its C&C proxy
• Set its C&C proxy port
• Set its other configuration parameters

It connects to the following websites to send and receive information:

• {BLOCKED}skd4gipkm.onion/bin32/update.php
• {BLOCKED}.{BLOCKED}.180.60
• {BLOCKED}.{BLOCKED}.202.40
• {BLOCKED}.{BLOCKED}.179.14
• {BLOCKED}.{BLOCKED}.209.33
• {BLOCKED}.{BLOCKED}.250.54
• {BLOCKED}.{BLOCKED}.180.229
• {BLOCKED}.{BLOCKED}.242.124
• {BLOCKED}.{BLOCKED}.109.209
• {BLOCKED}.{BLOCKED}.13.76
• {BLOCKED}.{BLOCKED}.203.144
• {BLOCKED}.{BLOCKED}.80.82
• {BLOCKED}.{BLOCKED}.222.68
• {BLOCKED}.{BLOCKED}.198.231

Information Theft

This Backdoor gathers the following data:

• Mac Address
• Platform Version
• IP Address
• Bootloader