{ "id": "0eb2ff9a-615c-41da-9c8e-b16dcafbb66e", "created_at": "2026-04-06T00:21:39.007684Z", "updated_at": "2026-04-10T03:37:50.01316Z", "deleted_at": null, "sha1_hash": "9cdfa28dcd8c37544cecbe9bbdc986e365ec0f16", "title": "VPNFilter EXIF to C2 mechanism analysed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1471491, "plain_text": "VPNFilter EXIF to C2 mechanism analysed\r\nBy GReAT\r\nPublished: 2018-05-24 · Archived: 2026-04-05 17:32:27 UTC\r\nOn May 23 2018, our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router\r\nmalware which exhibits some worrying characteristics.\r\nSome of the things which stand out about VPNFilter are:\r\nIt has a redundant, multi-stage command and control mechanism which uses three different channels to\r\nreceive information\r\nIt has a multi-stage architecture, in which some of the more complex functionality runs only in the memory\r\nof the infected devices\r\nIt contains a destructive payload which is capable of rendering the infected devices unbootable\r\nIt uses a broken (or incorrect) RC4 implementation which has been observed before with the BlackEnergy\r\nmalware\r\nStage 2 command and control can be executed over TOR, meaning it will be hard to notice for someone\r\nchecking the network traffic\r\nWe’ve decided to look a bit into the C\u0026C mechanism for the persistent malware payload. As described in the\r\nTalos blog, this mechanism has several stages:\r\nFirst, the malware tries to visit a number of gallery pages hosted on photobucket[.]com and fetches the first\r\nimage from the page.\r\nIf this fails, the malware tries fetching an image file from a hardcoded domain, toknowall[.]com. This C2\r\ndomain is currently sinkholed by the FBI.\r\nIf that fails as well, the malware goes into a passive backdoor mode, in which it processes network traffic\r\non the infected device waiting for the attacker’s commands.\r\nFor the first two scenarios in which the malware successfully receives an image file, a C2 extraction subroutine is\r\ncalled which converts the image EXIF coordinates into an IPv4 address. This is used as an easy way to avoid\r\nusing DNS lookups to reach the C\u0026C. Of course, in case this fails, the malware will indeed lookup the hardcoded\r\ndomain (toknowall[.]com). It may be worth pointing that in the past, the BlackEnergy APT devs have shown a\r\npreference for using IP addresses for C\u0026C instead of hardcoded domain names, which can be easily sinkholed.\r\nTo analyse the EXIF processing mechanism, we looked into the sample 5f358afee76f2a74b1a3443c6012b27b,\r\nmentioned in the Talos blog. The sample is an i386 ELF binary and is about 280KB in size.\r\nUnfortunately for researchers, it appears that the photobucket.com galleries used by the malware have been\r\ndeleted, so the malware cannot use the first C2 mechanism anymore. For instance:\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 1 of 6\n\nWith these galleries unavailable, the malware tries to reach the hardcoded domain toknowall[.]com.\r\nWhile looking at the pDNS history for this domain, we noticed that it resolved to an IP addresses in France, at\r\nOVH, between Jan and Feb 2018:\r\nInterestingly, when visiting this website’s C2 URL, we are presented with a JPG image, suggesting it is still an\r\nactive C2:\r\nHere’s how it looks when viewed as an image:\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 2 of 6\n\nWhen we look into the EXIF data for the picture, for instance using IrfanView, it looks as following:\r\nFilename – update.jpg\r\nGPS information: –\r\nGPSLatitude – 97 30 -175 (97.451389)\r\nGPSLongitude – -118 140 -22 (-115.672778)\r\nHow to get the IP out of these? The subroutine which calculates the C2 IP from the Latitude and Longitude can be\r\nfound at offset 0x08049160 in the sample.\r\nAs it turns out, VPNFilter implements an actual EXIF parser to get the required information.\r\nFirst, it searches for a binary value 0xE1. This makes sense because the EXIF attribute information begins with a\r\ntag “0xFF 0xE1”. Then, it verifies that the tag is followed by a string “Exif”. This is the exact data that should\r\nappear in a correct header of the Exif tag:\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 3 of 6\n\nExif tag\r\nFF E1 Exif tag\r\nxx Length of field\r\n45 78 69 66 00 ‘Exif’\r\n00 Padding\r\nThe tag is followed by an additional header:\r\n“Attribute information” header\r\n49 49 (or 4D 4D) Byte order, ‘II’ for little endian (‘MM’ for big endian)\r\n2A 00 Fixed value\r\nxx xx Offset of the first IFD\r\nThe data following this header is supposed to be the actual “attribute information” that is organized in so-called\r\nIFDs (Image File Directory) that are data records of a specific format. Each IFD consists of the following data:\r\nIFD record\r\nxx xx IFD tag\r\nxx xx Data type\r\nxx xx xx xx Number of data records of the same data type\r\nxx xx xx xx Offset of the actual data, from the beginning of the EXIF\r\nThe malware’s parser carefully traverses each record until it finds the one with a tag ’25 88′ (0x8825 little endian).\r\nThis is the tag value for “GPS Info”. That IFD record is, in turn, a list of tagged IFD records that hold separate\r\nvalues for latitude, longitude, timestamp, speed, etc. In our case, the code is looking for the tags ‘2’ (latitude) and\r\n‘4’ (longitude). The data for latitude and longitude are stored as three values in the “rational” format : two 32-bit\r\nvalues, the first is the enumerator and the second one is the denominator. Each of these three values corresponds to\r\ndegrees, minutes and seconds, respectively.\r\nThen, for each record of interest, the code extracts the enumerator part and produces a string of three integers (i.e.\r\n“97 30 4294967121” and “4294967178 140 4294967274″ that will be displayed by a typical EXIF parser as\r\n1193143 deg 55′ 21.00″, 4296160226 deg 47′ 54.00”). Then, curiously enough, it uses sscanf() to convert these\r\nstrings back to integers. This may indicate that the GPS Info parser was taken from a third-party source file\r\nand used as-is. The extracted integers are then used to produce an actual IP address. The pseudocode in C is as\r\nfollows:\r\nconst char lat[] = \"97 30 4294967121\"; // from Exif data\r\nconst char lon[] = \"4294967178 140 4294967274\"; // from Exif data\r\nint o1p1, o1p2, o2p1, o3p1, o3p2, o4p1;\r\nuint8_t octets[4];\r\nsscanf(lat, \"%d %d %d\", \u0026o1p2, \u0026o1p1, \u0026o2p1);\r\nsscanf(lon, \"%d %d %d\", \u0026o3p2, \u0026o3p1, \u0026o4p1);\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 4 of 6\n\noctets[0] = o1p1 + ( o1p2 + 0x5A );\r\noctets[1] = o2p1 + ( o1p2 + 0x5A );\r\noctets[2] = o3p1 + ( o3p2 + 0xB4 );\r\noctets[3] = o4p1 + ( o3p2 + 0xB4 );\r\nprintf(\"%u.%u.%u.%u\\n\", octets[0], octets[1], octets[2], octets[3]);\r\nThe implementation of the EXIF parser appears to be pretty generic. The fact that it correctly handles the byte\r\norder (swapping the data, if required) and traverses all EXIF records skipping them correctly, and that the GPS\r\ndata is converted to a string and then back to integers most likely indicates that the code was reused from an\r\nEXIF-parsing library or toolkit.\r\nFor the values provided here, the code will produce the IP address “217.12.202.40” that is a known C\u0026C of\r\nVPNFilter.\r\nIt should be noted that this IP is included in Cisco Talos’ IOCs list as a known C\u0026C. Currently, it appears to be\r\ndown.\r\nWhat’s next?\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 5 of 6\n\nPerhaps the most interesting question is who is behind VPNFilter. In their Affidavit for sinkholing the malware\r\nC2, FBI suggests it is related to Sofacy:\r\nInterestingly, the same Affidavit contains the following phrase: “Sofacy Group, also known as apt28, sandworm,\r\nx-agent, pawn storm, fancy bear and sednit”. This would suggest that Sandworm, also known as BlackEnergy\r\nAPT, is regarded as subgroup of Sofacy by the FBI. Most threat intel companies have held these groups separate\r\nbefore, although their activity is known to have overlapped in several cases.\r\nPerhaps the most interesting technical detail, which Cisco Talos points in their blog linking VPNFilter to\r\nBlackEnergy, is the usage of a flawed RC4 algorithm.The RC4 key scheduling algorithm implementation from\r\nthese is missing the typical “swap” at the end of the loop. While rare, this mistake or perhaps optimization from\r\nBlackEnergy, has been spotted by researchers and described publicly going as far back as 2010. For instance, Joe\r\nStewart’s excellent analysis of Blackenergy2 explains this peculiarity.\r\nSo, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation\r\nalone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to\r\nhave deployed router malware going back as far as 2014, which we described in our blogpost: “BE2 custom\r\nplugins, router abuse, and target profiles“. We continue to look for other similarities which could support this\r\ntheory.\r\nSource: https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nhttps://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/" ], "report_names": [ "85721" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434899, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9cdfa28dcd8c37544cecbe9bbdc986e365ec0f16.pdf", "text": "https://archive.orkl.eu/9cdfa28dcd8c37544cecbe9bbdc986e365ec0f16.txt", "img": "https://archive.orkl.eu/9cdfa28dcd8c37544cecbe9bbdc986e365ec0f16.jpg" } }