Major Malware Campaign Targets Home Routers, Compromising User Security
Chinese cybersecurity researchers have revealed a significant ongoing malware campaign, known as GhostDNS, which has compromised over 100,000 home routers. The attack modifies the Domain Name System (DNS) settings of these devices, routing users to malicious websites designed to steal login credentials, particularly when accessing banking sites.
GhostDNS operates similarly to the notorious DNSChanger malware, which allowed attackers to reroute victims’ internet traffic through their own malicious servers. According to a report by cybersecurity firm Qihoo 360’s NetLab, the campaign primarily scans for routers with weak or poorly configured passwords, enabling attackers to modify the DNS settings to direct users to malicious servers.
The GhostDNS system includes several modules designed to exploit targeted routers effectively. The core component, the DNSChanger module, is further divided into three sub-modules: Shell DNSChanger, which uses a collection of Shell scripts to brute-force passwords; Js DNSChanger, a JavaScript-based set of scripts aimed at infecting specific router models; and PyPhp DNSChanger, which combines Python and PHP for more extensive attacks across various router types.
The Web Admin module acts as an administration panel secured by a login page, while the Rogue DNS module resolves targeted domain names through attacker-controlled servers. Reports indicate that around 52 domain names have been hijacked, with many tied to popular banking and cloud services. The Phishing Web module serves counterfeit versions of legitimate sites to mislead users effectively.
The campaign’s focus is predominantly on Brazil, where approximately 87.8% of the compromised devices—around 87,800 in total—are located. Researchers highlighted that major Brazilian financial institutions, as well as services like Netflix, have been targeted in the effort to intercept user credentials.
Given the scale and sophistication of the GhostDNS campaign, it poses a severe risk to individuals and businesses alike. The automated nature of these attacks raises concerns about potential vulnerabilities in home and small business networks.
In response to such threats, cybersecurity experts urge users to take precautionary measures. Ensuring that routers have the latest firmware updates and strong, unique passwords is essential. They also recommend disabling remote administration features, changing the default local IP address, and hardcoding trusted DNS servers within router settings.
This incident exemplifies key tactics outlined in the MITRE ATT&CK framework, including initial access via exploitation of weak credentials, persistence through modified DNS settings, and potential privilege escalation as attackers gain unauthorized access to user accounts. As cyber threats continue to evolve, maintaining robust security protocols is imperative for all users, particularly in an increasingly interconnected world.
