Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.

2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.

3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module: The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini