FacebookTwitterLinkedIn

Brazilian Router Attack Ramps up Operation

Currently, owners of routers within the borders of Brazil are experiencing a sustained attack on their home routers. For nearly a year now routers based in Brazil have been targeted with a new type of router attack, which according to researchers at multiple security firms has not been seen anywhere else in the world. If the attack spreads to routers in other countries this will mean Brazil is ground zero for this new kind of attack and a single Brazilian router may hold the infamous and unwanted title of patient zero. Often routers are targeted for the creation of botnets, such as Mirai or other DNS (Domain Name Server) attacks. This latest attack shares many similar traits with other DNS attacks but differs in some significant ways. A DNS attack can be defined as an attack which looks to take advantage of certain vulnerabilities arising from the DNS system. These include DNS spoofing or Cache Poisoning, when the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack; and Denial of Service attacks which involve an attack in which a malicious bot sends send more traffic to a targeted IP address than what it was designed to handle resulting in downtime.

As was mentioned above the attack which for the time being is confined to Brazil started last year and was first observed by researchers at Radware and later verified by researchers at NetLab, a division of Chinese security firm Qihoo 360. At the time both firms noted that the hackers behind the attack were had infected over 100,000 home routers in Brazil and were modifying their DNS settings. The compromised routers were then used to redirect users to clone websites of some of Brazil’s popular banks, hoping that users would then enter in login credentials to those banks thus granting the hackers’ access to user’s online banking portals. In April of 2019, according to an article published by Bad Packets, a newer campaign began specifically targeting D-Link routers. As well as looking to target a specific brand of router hackers were also redirecting users to phishing pages for Netflix, Google, and PayPal, to collect their credentials according to an article published by security firm Ixia.

brazillian router attack

This was not the end for owners of routers. In a new report published by Avast, the attacks have not stopped and according to the company, hackers have infected and modified the DNS settings of over 180,000 Brazilian routers. This number is for the first half of 2019 and numbers are expected to rise significantly. Adding to the significant number of compromised routers, the complexity of the attacks has increased, and the number of actors involved in the attacks appears to have gone up as well. Those behind the attacks are also continually adopting better tools in an attempt to infect more routers. Users initially have their routers hacked while they are visiting popular sports and media streaming websites, hackers further also target those visiting adult content sites. Once on the site code is run via malicious ads while the user is watching streamed content. The malicious code is run in the browser and can detect the IP address of a home router and the router's model. When they detect the router's IP and model, the malicious ads then use a list of default usernames and passwords to log into users' devices, without their knowledge.

Advanced Tool Kit

If this initial attack is successful the malicious ads will then relay more malicious code via the browser. This time the code will modify the default DNS settings on the victims' routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers. The next time the user connects through the router it will receive the malicious DNS server IP addresses. This allows the hackers to funnel it will receive the malicious DNS server IP addresses. To complete this nefarious task successfully the attackers have used an advanced set of tools to get the job done. These tools, or exploit kits, are GhostDNS, Navidade, and SonarDNS. According to Avast GhostDNS and a newer variant called Navidade,

“is very popular in the Brazilian underground hacking scene and some of its variants belong to the most active exploit kits targeting Brazilian routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.”

The last tool, SonarDNS, is a new botnet and appears to be a re-purposed penetration testing framework named Sonar.js. Researchers believe that the re-purposing of this JavaScript library was a perfect choice as it was legitimately used initially for identifying and launching exploits against internal network hosts. The testing tool is also capable of determining router type as well as running the exploit kits employed by the hacker. The combination of tools is worrying as it shows that the hackers behind the campaign are far from amateurs. Further DNS attacks can be some of the most dangerous to the end-user as often online credentials are what the hackers are after, and in particular banking credentials, which can result in a significant financial loss for the end-user. It is still unknown as to why the operators of this campaign have not spread yet to targeting routers outside of Brazil, however, researchers are warning users as to the possibility of infection if the hackers begin thinking the grass may be greener abroad.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal