GhostDNS exploit kit source code leaked to antivirus company

Malware analysts received unrestricted access to the components of GhostDNS exploit kit after the malware package essentially fell into their lap.

GhostDNS is a router exploit kit that uses cross-site request forgery (CSRF) requests to change the DNS settings and send users to phishing pages to steal their login credentials, for various online services (banking, news, video streaming).

Honest mistake

The complete source code for the malware kit and multiple phishing pages, all compressed in a RAR archive, was uploaded to a file-sharing platform by a careless user with obvious cybercriminal intentions.

The uploader, however, did not protect the archive with a password and had Avast antivirus installed and left active the Web Shield component, which protects against malicious web content.

This allowed the file to be analyzed by Avast’s web protection technology and triggered router exploit kit detections, prompting a closer look at the malware.

In a blog post today, Avast Threat Intelligence Team details the functionality of GhostDNS, which was enclosed in a file called “KL DNS.rar,“ its structure shown in the image below.

The name of the file hints that the tool uses DNS hijacking and keylogging to obtain sensitive info from its victims and Avast confirmed this when looking at the source code structure.

They found included in the archive two methods for attacking routers, Router EK and BRUT, both requiring CSRF requests to change the DNS‌ settings on the device.

Components at a glance

Router EK attacks from the local network and requires the user to click on a malicious link. BRUT is a mass scanner that looks for routers exposed on the public internet and attacks them - no user intervention is needed in this case.

The researchers found a list of prefixes for IP‌ addresses in 69 countries to be scanned for reachable devices; for each prefix, a total of 65,536 addresses were checked.

Most of the targeted countries are in South America, with Brazil being by far at the top but the U.S., Australia, and Germany were also in the top 10.

The researchers found that in some versions of the kit, after the attacker selects a prefix, a banner with GhostDNS' name is printed to inform that the CSRF request executed. However, the name of the kit is spelled wrong.

To gain access to the device and change its DNS settings, a newer version of the malware relies on brute-force attacks that use a small dictionary of just 22 credentials. An older variant relies on a set of 84 credentials.

These are common sets and default sets from the device manufacturer or the internet service provider.

After gaining access to the target device, the malware changes the DNS settings so they point to the attacker’s server(s). To make it easier, the kit includes a cracked SimpleDNS Plus, a DNS‌ server application for Windows.

Avast's report today describes the functions of RouterEK, the component deployed on the local network via malvertising redirects. When the user clicks on the malicious link, a search for the router’s internal IP‌ address begins.

A smaller set of credentials is used than in the case of BRUT. Avast found only eight usernames and passwords, all being the most used in Brazil.

If the login is found, then GhostDNS’ operation is finished and it’s time for the phishing pages to do their job.

Several templates were present in the archive that Avast received. They imitated the websites of the biggest banks in Brazil and Netflix.

CSRF attacks are a simple method to hijack a device’s DNS settings to redirect to a rogue web page controlled by cybercriminals that looks indistinctly from the original one.

The full report from Avast, with technical details on the GhostDNS source code they analyzed, is available here.

Comments are closed.