But in this case, the attackers really use this method to figure out if an IP belongs to a router, and to access the router’s login page. Image declaration means that a particular IP is declared as the source of an image. To describe the function of the script in general, all IPs are tested by a function that cleverly uses image declaration. The script’s payload shows the usage of iframes, a list of default router IP addresses, and a few functions of the DNSchanger malware. While the attackers attempt to convince the user their Chrome browser is being updated, a malicious script is executed in background.
Screenshot: A new variant of a GhostDNS landing page spotted in a campaign on attempting to trick users with a fake Google Chrome update We protected Avast users from GhostDNS 70,000 times, thus far. We spotted a new variant of a GhostDNS landing page in a campaign on attempting to trick the user with a fake Google Chrome update. The same rouge DNS servers 195128.124131 and 195.128.126165 detected by honeypots were also spotted in other GhostDNS campaigns this year. The threat actors behind GhostDNS are trying to increase their attack success rate by scanning routers’ IP addresses via public mass scans. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.
The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. The GhostDNS exploit kit is very popular in the Brazilian underground hacking scene and some of its variants belong to the most active exploit kits targeting Brazilian routers in 2019.
Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests, primarily targeting the following router models:
The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand. The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country. Here is the list of the top used login credentials (username:password): In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. X – Blocked infection RouterCSRF attempts, Y – data from 2-6 2019 The following graph shows RouterCSRF attacks (waves) blocked by Avast Web Shield, from February 1 until May 30, 2019: When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction. The attack usually starts when the user visits a compromised website, typically a local Brazilian pornsite, or site hosting movies or sports streams. RouterCSRF campaigns are often distributed via malvertising campaigns through popcashnet, dolohencom, rotumalcom, bodelencom and other ad rotators, and appear in waves.
Through the Avast Wi-Fi Inspector feature, included in all Avast Antivirus consumer versions, which checks users’ routers for vulnerabilities, we have discovered that 180,000 users in the Avast user base, located in Brazil have had their DNS hijacked in the first half of 2019.
Another attack possibility is to install a cryptomining script, or push malicious advertisements to victims. In cases where a CSRF attack is successful, routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages, to pharm login credentials or credit card details when the victims open banking sites or Netflix. Novidade and other variants of the GhostDNS exploit kit have also been pretty active this year, and Avast has detected a new exploit kit, SonarDNS, in April 2019.įrom February 1 until March 30, 2019, Avast’s Web Shield blocked more than 4.6 million cross-site request forgery (CSRF) web-based attacks in Brazil, attempting to silently modify DNS settings on routers. Router exploit kits are nothing new in Brazil a router exploit kit named GhostDNS was discovered by Netlab360 in the fall of 2018, showing more than 100K infected SOHO routers.