Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Analysing VPNFilter with Joe Sandbox Linux

Published on: 05.06.2018

Linux malware is becoming a hot topic in the security news headlines, as we see more and more recent malware targeting Linux operating systems. With more than 11 billion embedded devices with networking capabilities in 2018 (Gartner), bots targeting Internet of Things (IoT) have a bright future ahead. Mirai and VPNFilter are just some recent examples.

Thus, it is the right time to step up! For some months, we have been working on a new product to analyze malware targeting Linux. Today, we are happy to release Joe Sandbox Linux, our deep malware analysis engine for fighting threats on Ubuntu and CentOS.

By adding analysis on Linux, Joe Sandbox is now the only malware analysis system available on the market which can analyze malware on all of Windows, MacOS, Linux, Android, and iOS:

In this blog post, we are going to showcase the features of Joe Sandbox Linux and take the recently discovered VPNFilter as well as a Coin miner malware as an example.


VPNFilter is a recent malware found by Cisco Talos which targets Internet routers. According to Talos, VPNFilter is likely a state-sponsored or state-affiliated threat built to gather intelligence. VPNFilter has powerful destruction payloads that infected over 500'000 routers in 54 countries. 

Just like modern malware on Windows, VPNFilter uses multiple stages:

Stage 1

In stage 1, VPNFilter mainly persists itself in order to survive the reboot by creating a cronjob. Joe Sandbox Linux directly detected VPNFilter with a generic behavior rule. In the network tab we can see that it reaches out to photobucked[.]com to get an image:

Since the threat already is some days old the resource is no longer available. The image basically would include the IP address to download the second stage malware.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 1.

Stage 2

The second stage malware contains the bot functionality. This can be easily seen in the verbose output:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Commands which can be sent to VPN Filter include: exec, kill, seturl, download, reboot, proxy, port and tor. The stage two malware is deleting itself and thus after rebooting the infected device, VPNFilter no longer exists:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Stage 3

VPNFilter also has the ability to load plugins or modules, for instance to communicate secretly via Tor:

As you can see by using the analysis report generated by Joe Sandbox Linux, you get valuable information about the threat including payloads, IOCs, and behaviors.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 3.

Coin miner

Coin miners are malware which "kidnap" the CPUs of servers in order to mine for cryptocurrencies. Especially in the Linux server world, they are very common. Let us have a look at the analysis report:

The classification shows clearly that this is Miner malware. Through the integration of Antivirus all artifacts such as dropped files are being scanned automatically:

Thanks to the extensive behavior signature set of Joe Sandbox Linux, Coin miners are detected on any architecture:

The behavior graph which is also part of Joe Sandbox Desktop (analysis on Windows) and Joe Sandbox X (analysis on MacOS) helps to fully understand the installation behavior:

As for VPNFilter, Joe Sandbox Linux fully detected the coin miner payload and provided additional insights into the malware behavior.

Full Joe Sandbox Linux Analysis Report for Coinminer.

Final Words

With the capability of analyzing Malware targeting Windows, MacOS, Linux, Android, and iOS, Joe Sandbox is the only malware analysis solution which can fully protect you from today's threats. With the introduction of Joe Sandbox Linux customers get a very advanced analysis tool to detect advanced threats targeting routers, IoT devices and Linux servers or workstations.

Joe Sandbox Linux already has been fully integrated into Joe Sandbox Cloud Pro and Basic and will be soon available as an on-premise product.

Want to try Joe Sandbox Linux? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!