Malware campaign uses CSRF to change routers' DNS settings

Dec 11, 2018 21:50 GMT  ·  By

Trend Micro's security researchers discovered multiple campaigns during September and October that wielded the Novidade exploit kit capable of changing Domain Name System (DNS) settings on home and SOHO routers with the help of cross-site request forgery (CSRF) attacks.

The attackers employ this the exploit kit to attack victims using both desktop and mobile devices, with the vast majority of malware campaigns that utilized it targeting banking credentials of Brazillian customers.

Novidade can exfiltrate banking info from its targets by changing vulnerable routers' DNS settings to those of maliciously configured servers controlled by its masters, allowing them to carry out pharming attacks on all devices connected to the compromised router.

As discovered by Trend Micro, the first Novidade samples were unearthed during August 2017, with two separate strains spotted in the wild until now while being used in multiple campaigns.

Novidade detected in malware campaigns orchestrated by multiple threat actors

This leads to the conclusion that the exploit kit has either been sold or shared between multiple threat groups, or that its source code has been inadvertently leaked and modified by other groups to suit their needs and, subsequently, being added to their toolset.

Another hint pointing at its usage by multiple bad actors is the fact that Novidade has also been discovered as the tool of choice in malicious campaigns that were targeting victims following no specific geolocation rule.

Trend Micro further found out during Novidade's analysis that the exploit kit was "delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers."

Once the target would receive a link that would point to the Novidade-powered web app, the page would automatically run multiple HTTP requests to local IP addresses in an effort to find active routers and, once connected to a host, it would download its exploit payload and start attacking the routed with all the exploits contained within.

Possibly affected router models
Possibly affected router models

Novidade uses brute-force and CSRF attacks to infiltrate vulnerable routers 

Next, Novidade will attempt to log into the found router using a brute-force attack and to launch a CSRF attack designed to change the router's original DNS settings to the attacker’s DNS server.

Following this last attack stage, the banking credentials on devices connected to the compromised router will be pillaged using pharming attacks.

As defense measures against Novidade campaigns, Trend Micro recommends the upgrade of all routers' firmware as well as changing the default usernames and passwords to avoid being vulnerable to brute-force attacks.

Additionally, users are also advised to disable remote access features to block attackers from remotely connecting to the routers and to change the default IP address to prevent them from finding the routers on the local network using hardcoded IP range scans.

Photo Gallery (6 Images)

Novidade Exploit Kit
Novidade infection chainExample of traffic from a Novidade attack
+3more