Malicious analysts were given unrestricted access to the components of the GhostDNS operating system after the malicious package essentially brought them to their knees.
GhostDNS is a set of routers that use Cross-Site Request Forgery (CSRF) to change DNS settings and send users to phishing sites to steal credentials for various online services (banking, messaging, video streaming).
The complete source code of a number of malware and various phishing sites, compressed in the RAR archive, was uploaded to a file-sharing platform by a careless user with the explicit intention of a cyber criminal.
However, the downloader did not password protect the archive and installed Avast antivirus, keeping the Web Shield component active to protect against malicious web content.
This allowed Avast’s web security technology to scan the file and detect a number of router exploits, allowing you to better view the malware.
We downloaded the corresponding file and found the full source code of the GhostDNS – Avast operating system.
In the article published today on the blog of the Avast Threat Intelligence Team, we describe in detail the functionality of GhostDNS, which was included in a file called KL DNS.rar, the structure of which is shown in the figure below.
The file name suggests that the tool uses DNS hijacking and key logging to obtain confidential information from the victims, which Avast confirmed by examining the structure of the source code.
They found two methods to attack routers in the archive, Router EK and BRUT, both of which need CSRF queries to change the device’s DNS settings.
The EK router attacks from the local network and invites the user to follow a malicious link. BRUT is a mass scanner that scans and attacks open routers on the public internet – in this case no user intervention is required.
The researchers found a list of prefixes for IP addresses in 69 countries, which were scanned for available devices; a total of 65,536 addresses were scanned for each prefix.
Most of the targeted countries are in South America, with Brazil at the forefront and the United States, Australia and Germany also in the top ten.
The investigators found that in some versions of the package, after an attacker selected a prefix, a banner called GhostDNS was printed to indicate that the SRRC request had been completed. However, the name of the sentence is misspelled.
In order to access the device and change the DNS settings, the new version of the malware uses brute force attacks, which use a small dictionary with only 22 references. The old version is based on a set of 84 mandates.
These are the usual and standard sets from the manufacturer of the device or the Internet service provider.
After accessing the target device, the malware changes the DNS settings to point to the attacker’s server(s). For ease of use, the kit includes SimpleDNS Plus, a hacked Windows DNS server application.
Today’s Avast report describes the characteristics of RouterEK, a component used on the local network using malicious redirection. When a user clicks on a malicious link, the search for the router’s internal IP address begins.
The number of references used is lower than in the Rough study. Avast has only found eight usernames and passwords, all of which are most commonly used in Brazil.
When the connection is found, the GhostDNS operation is complete and it’s time for the phishing sites to do their job.
The archive contained several models that Avast received. They imitated the websites of the largest Brazilian banks and Netflix.
CSRF attacks are an easy way to intercept DNS device settings and redirect them to an unauthorized webpage managed by cybercriminals that only vaguely resembles the original.
A full report from Avast with technical details of the GhostDNS source code they analyzed is available here.