Martijn Lammerts
My own digital place with a little of everything

New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server.

The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns. One possibility is that the exploit kit tool was either sold to multiple groups or the source code was leaked, allowing threat actors to use the kit or create their own variations. Most of the campaigns we discovered used phishing attacks to retrieve banking credentials in Brazil. However, we also recently found campaigns with no specific target geolocation, suggesting that either the attackers are expanding their target areas, or a larger number of threat actors are using it.

We named the exploit kit Novidade, which means “novelty” in Portuguese, due to the title string “Novidade!” on the webpages of all the current variants.

Infection Chain

Figure 1. Novidade infection chain

We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers. Once the victim receives and clicks the link to Novidade, the landing page will initially perform several HTTP requests generated by JavaScript Image function to a predefined list of local IP address that are mostly used by routers. If a connection is successfully established, Novidade will query the detected IP address to download a corresponding exploit payload, which is encoded Base64. Novidade will then blindly attack the detected IP address with all its exploits. This is followed by an attempt to try and log into the router with a set of default account names and passwords, after which a CSRF attack will be executed in order to change the original DNS server to the attacker’s DNS server. Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.

Figure 2. An example of how Novidade is being delivered via instant messages

The example below is typical for the most cases observed using Novidade. In this scenario, the injected DNS server will resolve an IP address hosting a fake banking website if a user tries to connect to a targeted bank domain.

Figure 3. Example of traffic from a Novidade attack showing the malvertising method

One kit, three variants

We found three variants of Novidade, all of which share the same attack approach described above. However, the newer versions improve on the initial variant. The first version, which was found in the wild as early as August 2017, is the most basic version of the exploit kit that saw the most use during early campaigns. The second version has a similar code structure and adds a runtime JavaScript obfuscator to make the landing page look different depending on the attack. The JavaScript sub-module of GhostDNS is the second version of the Novidade exploit kit. The third variant retains the JavaScript obfuscator but refines the code on the landing page and adds a new feature to retrieve the victim’s local IP address by making requests to STUN servers with WebRTC. This technique was also employed by previous exploit kits such as Router. The third variant also allows attackers to embed a shortened URL link on their landing page, which is not used for redirection but rather to track attack statistics.

Current campaigns use both the second and third versions of Novidade in the wild.

  Version 1 Version 2 Version 3
Router CSRF Attack X X X
External IP Address Detection X
Runtime JavaScript Obfuscation X X
WebRTC STUN Request X
Shortened URL Statistic Tracker X
File Structure index2.html
api.ipaddress.php
api.init.php
index.php
index2.php
api.init.php
index.php
addon.js
inc.php
Local IP Address Scan List 10.0.0.1
10.0.0.2
10.0.0.3
10.1.1.1
10.0.0.138
192.168.0.1
192.168.1.1
192.168.1.2
192.168.1.254
192.168.2.1
192.168.25.1
192.168.100.1
192.168.254.254
10.0.0.1
192.168.0.1
192.168.1.1
192.168.2.1
192.168.15.1
192.168.25.1
192.168.100.1
10.0.0.1
192.168.0.1
192.168.1.1
192.168.2.1
192.168.5.248
192.168.15.1
192.168.25.1
192.168.100.1

Table 1. Comparing the three Novidade variants

The non-exhaustive list below includes possible affected router models based on our comparisons of the malicious code, network traffic, and published PoC code. Some of the router models were also included by Netlab 360 in a blog post on GhostDNS back in September 2018.

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)

Examining the Novidade campaigns

We found several campaigns using Novidade to attack routers. A large number of these campaigns target Brazilian users, delivering the kit via malvertising attacks to steal banking information. Using the shortened URL link embedded in Novidade to track statistics, we discovered that the largest campaign has delivered the exploit kit 24 million times since March. In September and October, we also found two campaigns using different ways to deliver Novidade.

The first campaign used notifications on instant messengers regarding the 2018 Brazil presidential election as a lure. The malicious page is displayed as a normal survey on the election candidates. However, Novidade was also injected into the page. This attack proved to be especially devious, as Novidade attacked the victim’s router while they were filling out the survey. This is immediately followed by a request for the victims to share the survey website to 30 people via instant messenger to receive the results of the candidate survey.

Once a router is compromised, it will change the DNS server to 144[.]217[.]24[.]233. Unfortunately, we were unable to check the domain targeted in the pharming attack as the DNS server was already being shut down during the time we were able to analyze it.

Figure 4. Fake presidential election survey with an embedded Novidade exploit kit. The question at the bottom part asks if the recipient has already participated in election research

We observed another campaign starting in late October 2018 after we noticed multiple compromised websites being injected with an iframe that was redirecting people to Novidade. In this instance, we saw that the campaign injected their attack into websites in other countries, and not just in Brazil like before. The DNS setting of the compromised router is changed to a malicious DNS server at 108[.]174[.]198[.]177, which will resolve to an IP address (107[.]155[.]132[.]183) of a phishing web server whenever the victim accesses the “google.com” domain. Once the victim accesses the targeted domain, they will instead see a social engineering page that asks the victim to download and install a software. We were unable to verify what kind of software was actually delivered since the download link was no longer available. However, it is likely a malware or potentially unwanted application since the technique used has been done many times before.

Figure 5. Source code of a compromised website with an injected hidden iframe that redirects the victim to the Novidade exploit kit

Figure 6. The fake software download

Recommendations and best practices

To defend against exploit kits like Novidade, we recommend that users always upgrade their device’s firmware to the latest version. Default usernames and passwords are a highly common gateway for exploits, thus it is also important to use strong passwords on all user accounts. It is also recommended to change the router’s default IP address, as well as disable remote access features to minimize the chances for an attacker to externally manipulate the device. Finally, users should always use secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

Trend Micro Solutions

Trend Micro endpoint solutions such as Trend Micro SecuritySmart Protection Suites, and Worry-Free Business Security can protect users and businesses from this threat by blocking all related malicious URLs and detecting the malicious files. Trend Micro Mobile Security Personal Edition and Mobile Security Solutions also block all related malicious URLs that are used in attacks such as Novidade.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:

  • 1130410,WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability
  • 1131093,WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability

Indicators of Compromise (IoCs)

IoC Details
globo[.]jelastic[.]servint[.]net Novidade exploit kit domain
landpagebrazil[.]whelastic[.[net Novidade exploit kit domain
light[.]jelastic[.]servint[.]net Novidade exploit kit domain
52[.]47[.]94[.]175 Novidade exploit kit IP address
pesquisaeleitoral2018[.]online Social Engineering Domain
pesquisaparapresidente[.]online Social Engineering Domain
108[.]174[.]198[.]177 Malicious DNS server
144[.]217[.]24[.]233 Malicious DNS server
172[.]245[.]14[.]114 Malicious DNS server
192[.]3[.]178[.]178 Malicious DNS server
192[.]3[.]190[.]114 Malicious DNS server
192[.]3[.]8[.]186 Malicious DNS server
198[.]23[.]140[.]10 Malicious DNS server
198[.]46[.]131[.]130 Malicious DNS server
23[.]94[.]149[.]242 Malicious DNS server
23[.]94[.]190[.]242 Malicious DNS server
23[.]95[.]82[.]42 Malicious DNS server
107[.]155[.]132[.]183() Pharming web server
178[.]159[.]36[.]75 Pharming web server
91[.]234[.]99[.]242 Pharming web server

The post New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers appeared first on .

Share

Share

Ads