A report released by researchers claim that they have detected a highly sophisticated cyber attack that could be seen as the rise of the DNS hijacking Trojan that was once active from 2007 to 2012. The attack  involves a range of SOHO routers vulnerable to well devised exploits which uses malvertising to lure targets to malicious DNS servers loaded with DNSChanger Exploit Kit.

The attack also involves a very professional level of reconnaissance where the targets router is made to connect with malicious DNS servers loaded with DNSChanger Exploit kit which tampers with the DNS records and takes control over the targeted router.

A highly phenomenal methodology called steganography is used to conceal codes in the images used in the malicious ads that are served to the victim through legitimate websites.

Let’s go through the list of stages of the attack to understand how are these highly sophisticated cyber criminals  actually executing them:

Stage 1The malicious ads served to the potential victim in a golden platter

The malicious ads (also known as malvertising) are made to appear on a legitimate website. These ads are programmed to check whether the IP address of the visitor is within the targeted range. Now this is a behavior that is typical of many malvertising campaigns since they aim to remain undetected for a long time. This is also the first of the two waves of such ads that is deliberately made visible to the potential victim.

Stage 2: Making the decision whether to levy the attack on the captured IP address

  • If the IP address does not fall with the targeted range: If the analyzed IP Address does not fall within the targeted range then the user is served with a legitimate ad with no malware embedded in it.
  • If the IP address does fall with the targeted range: In case the IP address are the ones that the attackers considers a target then that particular targeted user is served with an ad which has these exploit codes embedded in its metadata. These codes are essentially stored in the PNG image used in the malicious advert.

Stage 3: The act of ‘forceful redirection’ to a malicious landing page

What does the code embedded in the PNG image do or what does the fiend found in png images do?  

The code that is served to the target has the capability to redirect the user to a desired webpage. In this case the malicious ad which has the exploit codes concealed in it redirects the target to a landing page hosted by a malicious DNS Server which is loaded with the DNSChanger Exploit kit.

Note: An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client. -Wikipedia

Stage 4: Double checking the IP Address

After the target is forced to visit the landing page hosting the DNSChanger the IP address is double checked so as to make sure that the IP address is the one that the attacker would want to target.

Stage 5: The second Image served to the target

After it is certain that a particular IP address is to be targeted, another wave of malicious image based advertisement is put across by the malicious website. Now this image is also concealed with an exploit code but this time it’s not targeted to lure the victim to a malicious website but is loaded with exploit codes to compromise the router. DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications. The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router.

Chances of the attack to be aborted

The model of the router is determined during this process and a known exploit is executed to take control of it. However, if there is no known exploits for the targeted router then the default password and user credentials of the router is fed in to break into the router. But if the default user credentials are changed then it results to the attack being aborted.

Nevertheless, the attack is carried further on if the attacker successfully establishes control over the network router.

Once the attackers take control of the DNS resolvers on the network it then allows them the ability to direct the target to further malicious payloads, fake sites, malvertsing etc. The kinds of attacks that are initiated after taking control over the networks of the target are countless.

It’s pretty clear from the recent DNSChanger Exploit Kit attacks that the attackers have sure gone a level higher. The techniques used are more sophisticated and a lot more deceptive than what was detected earlier. However, one must not forget the basics of defending from such attacks by updating the router with the latest firmware. One way of securing yourselves from malvertising is blocking ads by using ad blocking software. It is also important that the default user credentials of the router is changed in order to secure the networks from external attacks.