Intro

Router exploit kits are nothing new in Brazil; a router exploit kit named GhostDNS was discovered by Netlab360 in the fall of 2018, showing more than 100K infected SOHO routers. Novidade and other variants of the GhostDNS exploit kit have also been pretty active this year, and Avast has detected a new exploit kit, SonarDNS, in April 2019.



From February 1 until March 30, 2019, Avast’s Web Shield blocked more than 4.6 million cross-site request forgery (CSRF) web-based attacks in Brazil, attempting to silently modify DNS settings on routers.



In cases where a CSRF attack is successful, routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages, to pharm login credentials or credit card details when the victims open banking sites or Netflix. Another attack possibility is to install a cryptomining script, or push malicious advertisements to victims. Through the Avast Wi-Fi Inspector feature, included in all Avast Antivirus consumer versions, which checks users’ routers for vulnerabilities, we have discovered that 180,000 users in the Avast user base, located in Brazil have had their DNS hijacked in the first half of 2019.

RouterCSRF campaigns

RouterCSRF campaigns are often distributed via malvertising campaigns through popcash[.]net, dolohen[.]com, rotumal[.]com, bodelen[.]com and other ad rotators, and appear in waves. The attack usually starts when the user visits a compromised website, typically a local Brazilian pornsite, or site hosting movies or sports streams. When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction.





The following graph shows RouterCSRF attacks (waves) blocked by Avast Web Shield, from February 1 until May 30, 2019:



X – Blocked infection RouterCSRF attempts, Y – data from 2-6 2019



In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Here is the list of the top used login credentials (username:password):

admin:admin

admin:

admin:12345

Admin:123456

admin:gvt12345

admin:password

admin:vivo12345

root:root

super:super

The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country. The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.



Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests, primarily targeting the following router models:



TP-Link TL-WR340G

TP-Link WR1043ND

D-Link DSL-2740R

D-Link DIR 905L

A-Link WL54AP3 / WL54AP2

Medialink MWN-WAPR300

Motorola SBG6580

Realtron

GWR-120

Secutech RiS-11/RiS-22/RiS-33

GhostDNS Exploit Kit

The GhostDNS exploit kit is very popular in the Brazilian underground hacking scene and some of its variants belong to the most active exploit kits targeting Brazilian routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.



The threat actors behind GhostDNS are trying to increase their attack success rate by scanning routers’ IP addresses via public mass scans. The same rouge DNS servers 195[.]128.124[.]131 and 195.128.126[.]165 detected by @bad_packets’ honeypots were also spotted in other GhostDNS campaigns this year.

We spotted a new variant of a GhostDNS landing page in a campaign on May 5, 2019 attempting to trick the user with a fake Google Chrome update. We protected Avast users from GhostDNS 70,000 times, thus far.



Screenshot: A new variant of a GhostDNS landing page spotted in a campaign on May 5, 2019 attempting to trick users with a fake Google Chrome update



While the attackers attempt to convince the user their Chrome browser is being updated, a malicious script is executed in background. The script’s payload shows the usage of iframes, a list of default router IP addresses, and a few functions of the DNSchanger malware.



To describe the function of the script in general, all IPs are tested by a function that cleverly uses image declaration. Image declaration means that a particular IP is declared as the source of an image. But in this case, the attackers really use this method to figure out if an IP belongs to a router, and to access the router’s login page. This way, they access several IPs outside the original domain at once, which usually would not be allowed by the Cross-Origin Resource Sharing (CORS), a mechanism that uses additional HTTP headers to tell a browser to give permission to a web application, running at one origin domain to access selected resources from a server at a different origin. However, this is bypassed by using the aforementioned image declaration, which is tolerated, especially by older browsers. With this technique, the attackers eventually identify routers behind the IP address and then a hidden iframe is appended after the iframe’s tag body. The content of this appended iframe is another script that essentially changes the router’s DNS settings.



This procedure takes time, which is why it is masked as a Google Chrome browser update.

GhostDNS: Attack chain (fiddler capture sample):



SonarDNS Exploit Kit

In the past three months, we discovered three drive-by attacks from a new exploit kit, which does not have the same signatures as GhostDNS. We spotted the first attack on April 17, 2019, originating from the domain akibanoticias[.]com, a fake Brazilian news site. We assume the attack was just a test, because the attacker left a substantial part of the code without cleaning it up, and left the following in the decoy page:



After looking up fingerprint_db.js and sonar.start on Google, we found that the entire exploit kit was built on the SONAR JS framework. For this reason, we named the exploit kit “SonarDNS EK”:



The Sonar JS framework also contains a fingerprint database to identify router models. Here is an example from the official Github description, determining the fingerprint for ASUS RT-N66U:



The domain of the fake news website akibanoticias[.]com was also used in a second campaign on May 10, 2019. The attacker improved the landing page and added more obfuscation layers to the main function located in random.js.



random2.js obfuscated payload (fiddler snippet) with payload stored in variable N7o :

Essentially, akibanoticias[.]com’s source code is obfuscated and stored in one big variable. This variable is then loaded, deobfuscated, and executed through many case states and cycles. The de-obfuscation process contains many arrays from which parts of split code are loaded, and stacked into several websocket requests.



Looking at the deobfuscated websocket requests, we can see attempts to connect and change settings on local routers.



Example of deobfuscated websocket requests:

DNS hijacking & Post infection

In general, once the rogue DNS server is installed, cybercriminals monetize in three ways. The first method is by using phishing attacks focused on stealing credit card details or login credentials for Netflix and banking websites. The second way is by stealing traffic from web ad agencies and replacing good ads with malicious ads, and lastly, by pushing a cryptocurrency javascript.



Phishing:

A site lately targeted by phishing campaigns is Netflix. In this case, the attackers prepared a simple login form with a very convincing design. However, some mistakes can still be found. For example, the links located at the footer of the webpage don’t work and the missing domain certificate is very noticable, especially in some browsers where the certificate is typically very visible.



The source code is very short and shows that the footer links are just for show, and are just a formatted list of items that behave like links when a mouse scrolls over them. The action form contains a PHP script named “get_pay.php”, typical for phishing websites.



Avast has detected more than 180,000 infected users with active DNS hijacking in Brazil from February to June 2019. According to Avast Wi-Fi Inspector telemetry, the most hijacked domains in Brazil primarily belong to banking institutions, but the new favorite seems to be Netflix.



Here is a comparison between the Google Public DNS resolver and a rogue DNS resolver, trying to resolve the IP address belonging to banking institution Santander’s website:

Here is the original Santander bank website with a valid certificate:

And here is the phishing version of the site, without the SSL certificate:



Bad ads and cryptocurrency:

Popular web ads or web page tracking endpoints are often embedded in web pages, and, unfortunately, they are very convenient targets for DNS hijacking. Here is the list of the top attacked URLs detected in DNS hijacks this spring, pointing to the same IP address 188.214.132[.]44:



http://cdn.popcash.net/pop.js

http://widgets.outbrain.com/outbrain.js

http://www.google-analytics.com/ga.js

http://cdn.taboola.com/TaboolaCookieSyncScript.js

http://pagead2.googlesyndication.com/pagead/s/cookie_push.html

To give an example how of the malicious ads work, let’s take the example of a browser requesting the Outbrain widget, which are promoted third-party articles often embedded at the bottom of websites. When a user’s network is DNS hijacked, malicious content is served instead of the actual Outbrain content. Here’s a comparison between an original and a rogue server requesting the Outbrain widget from the browser:



Deobfuscated code:

The deobfuscated source code shows a simple attempt of swapping the HTTPS scheme with an unsecured HTTP scheme. This is necessary, as the advertising script will only deliver the attackers’ special ads under this condition.



Consequently, a wide variety of special ads could pop up or be appended to the site by the attackers, ranging from old school “you have won” ads to more serious browser extensions as shown in the screenshot above. Search extensions can be used to distribute malicious content, or to redirect users to shady websites.



There are also two additional scripts loaded and then appended to the page. The heavily obfuscated script located at tharbadir[.]com/2?z=2043966 provides a large variety of information about the user’s computer, such as the browsers installed on it, the computer’s resolution, available referrers, and much more. This information gives advertisers the possibility to target users, providing tailored content, but also allows malicious actors to serve effective phishing sites, technical support scams, malwaretising, and exploit kits. The domain rotumal[.]com, which is also shown in the screenshot above, is a well-known malicious redirector leading to potentially unwanted programs (PUPs), scams, and Trojans.



In the last part of the attack, attackers try to execute a cryptomining script created to mine the Monero cryptocurrency, which is popular among cybercriminals for mining, located on cdn.t[.]co/sm.js. This miner is only accessible if the users’ DNS records are changed, and resolves this domain again to IP 188.214.132[.]44. The very last line of the miner script shows the attackers’ private Monero wallet.



Detection and recommendation:

Web Shield:

Avast users are protected with the following detection signatures:

HTTP:RouterCSRF-A (DNS server address change via GET)

HTTP:RouterCSRF-B (User password change)

HTTP:RouterCSRF-C (Router reboot)

HTTP:RouterCSRF-E (DNS server address change via POST)

JS:RouterEK-A [Trj] (Detection for RouterEK landing pages)

JS:Agent-EHH [Trj] (Detection for malicious advertisement)

Avast Wi-Fi Inspector:



If you think you might be infected with a router exploit kit, run the Avast Wi-Fi Inspector feature, included in all Avast Antivirus consumer versions, including Avast Free Antivirus. If your network is compromised with the GhostDNS exploit kit or the SonarDNS exploit kit, the following detection will show, with detailed information about the hijacked domains:

Recommendation and mitigation:

To prevent a DNS hijack attack, or to protect yourself if you have been infected, we recommend doing the following:



Update your router’s firmware to the latest version.

Change your login credentials, especially for your online banking services and router, using strong passwords!

Make sure to check if your banking website has a valid certificate, by looking for the padlock in the URL address bar of your browser.

IoC: