GhostDNS Malware Hacked 100K Routers For Phishing

October 25, 2018

A cyberattack likened to a DNS-changer infiltration was first spotted in August on several D-Link routers in Brazil has expanded to affect more than 80 different network devices and more than 100,000 individual kits. Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a duplicate site that stole their banking credentials.

Quihoo’s Netlab 360 folk have warned that the attack, which they’ve named – GhostDNS, is “starting to ramp up its effort significantly with a whole bunch of new scanners.” The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi). If they get control of a device, they change the router’s default DNS server to their own “rogue” machine.

Netlab 360’s post added that as well as redirecting a victim’s default DNS, the GhostDNS campaign uses three DNS Changer variants running as a shell, a JavaScript program, or a Python program.

But wait, there’s more, the post said: “The GhostDNS system consists of four parts: DNS Changer module, Phishing Web module, Web Admin module, Rogue DNS module.”

Rogue DNS module –

The Rouge DNS server contains a number of hijacked domains, primarily banking domains, cloud hosting services, and domain belongs to security company Avira.

Phishing Web module –

The rogue DNS server hijacks targeted domain’s and resolves them to phishing server and the phishing server servers corresponding phishing site.

With this ghost’s campaign between Sept. 21st to Sept.-27th, the hackers primarily targeted users located in Brazil. The shell DNSChanger module works on 21 router models, the post said; the JavaScript module can infect six models; and the Python version has been installed on 100 servers, mostly on Google’s cloud.

At this stage, the post said, the redirection campaign is heavily weighted towards Brazilian Websites, nearly 88 per cent of the compromised devices are also in Brazil, and the rogue DNS servers operated on Hostkey, Oracle, Multacom, Amazon, Google, Telefonica, Aruba, and OVH.

Compromised kit has also been spotted in Bolivia, Argentina, Saint Maarten, Mexico, Venezuela, the US, Russia and a few others.

OVH, Oracle and Google have kicked the attackers off their infrastructure, and the post said others are “working on it”.

Vendors the Netlab 360 researchers have also listed – 3Com, A-Link, Alcatel / Technicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fiberhome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel as vulnerable.

About the author

Leave a Reply