Enormous botnet used to hijack traffic destined for Brazilian banks

Share this…

This botnet redirects hijacked traffic to more than 50 active phishing sites

More than 100k routers have suffered the modification of their DNS configuration to redirect users to phishing pages. Redirection occurs only when users try to access the online bank pages of different Brazilian banking institutions.

According to specialists in ethical hacking from the International Institute of Cyber Security, about 88% of these routers are located in Brazil, and the campaign has been deployed at least since mid-August, when the security company Radware discovered something strange.

According to a new report published last week by a Chinese firm of ethical hacking, the group behind these attacks has raised its bet. By analyzing massive amounts of data collected, specialists were able to unravel the modus operandi of the hackers behind this botnet.

According to experts, hackers are exploring networks across Brazil looking for routers that use weak passwords or do not use passwords, access the configuration of the routers and replace the legitimate DNS configuration with the IP of the DNS servers under their control. This change redirects all DNS queries that pass through the committed routers to malicious DNS servers, which respond with incorrect information for a list of 52 sites.

Most of these sites are Brazilian banks and web hosting services, and redirecting leads users to phishing pages to extract their access credentials for legitimate sites.

The attackers do all this with the help of three modules that the experts in ethical hacking called Shell DNSChanger, Js DNSChanger and PYPHP DNSChanger, all based on the programming languages in which they have been encoded.

  • The first module, Shell DNSChanger, is written in Shell and is a combination of 25 shell scripts that can force the passwords of 21 routers or firmware packages
  • The second module, Js DNSChanger, is written in JavaScript, and is a collection of only 10 scripts JS that can force the passwords of six routers or firmware packages
  • The third module, PYPHP DNSChanger, is written in a combination of Python and PHP, and is the most powerful of the three. Experts report that this module has been deployed on more than 100 Google Cloud servers, from where attackers constantly explore the Internet to identify vulnerable routers

In addition, the third module also uses an exploit that can bypass authentication procedures for some routers and alter their DNS settings. This particular exploit (known as dnscfg. CGI vulnerability) had already been exploited in Brazil similarly in February 2015, it is also used to change DNS settings and to redirect users from Brazilian banks to phishing sites.

In total, the operators of this botnet can attack more than 70 different types of routers, as experts estimate that they have already infected more than 100k devices and currently host phishing pages for more than 70 different services.