Author: Yadu Nadh
TLP: WHITE
On 26 January, Team Cymru posted an update to their analysis of the GhostDNS exploit kit.1,2 Their report detailed an ongoing GhostDNS campaign that targets unsuspecting users by compromising and changing the DNS of their router to deliver phishing websites. NetLab has also reported on this campaign.3
GhostDNS is an exploit kit that threat actors can use to change DNS settings to route victim requests for certain websites to phishing pages on malicious servers.4 Requests for other sites use a secondary, usually public, server such as Google’s public DNS server. This feature allows threat actors to avoid detection for long periods of time.
This campaign targets more than 70 different types of routers with weak passwords or unpatched vulnerabilities to redirect victims to phishing websites that steal user credentials. The threat actor appears to be targeting Brazilian banks located in Brazil and Argentina, and their customers.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://team-cymru.com/blog/2021/01/26/illuminating-ghostdns-infrastructure-part-3/
- https://team-cymru.com/blog/2020/09/08/illunimating-ghostdns-infrastructure-part-1/
- https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
- https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/