Hacker group incorporates DNS hijacking into its malicious website campaign

The concept of DNS hijacking.
Expanding / The concept of DNS hijacking.

Researchers have discovered a malicious Android app that can tamper with the wireless router to which the infected phone is connected, causing the router to send all network devices to malicious sites.

Discovered by Kaspersky, this malicious app uses a technique known as DNS (Domain Name System) hijacking. Once the app is installed, it connects to the router and attempts to log into the admin account using default or commonly used credentials (such as admin:admin). If successful, the app will change the DNS server to a malicious server controlled by the attacker. Devices on the network can then be directed to fraudulent sites that mimic legitimate sites, but spread malware or log user credentials and other sensitive information. .

widely disseminated

“We consider the discovery of this new DNS changer implementation to be of great importance from a security point of view,” wrote the Kaspersky researchers. “Attackers can use it to manage all communications from devices using compromised Wi-Fi routers with incorrect DNS settings.”

The researchers continued: When connected to target Wi-Fi models with weak settings, Android malware can compromise routers and affect other devices as well. As a result, it can spread widely over the target area. “

DNS is the mechanism by which domain names such as ArsTechnica.com are matched to 18.188.231.255, the numeric IP address where the site is hosted. DNS lookups are performed by servers operated by the user’s girlfriend’s ISP or by services of companies such as Cloudflare and Google. By changing the DNS server address from legitimate to malicious in the router’s admin panel, an attacker can force all devices connected to the router to receive malicious domain lookups for him, which can lead to cyber attacks. It can lead to similar sites used for crime.

The Android app is known as Wroba.o and has been used for years in various countries such as the United States, France, Japan, Germany, Taiwan, and Turkey. Curiously, the DNS hijacking technique that this malware can perform is used almost exclusively in South Korea. From 2019 to 2022, attackers lured targets to malicious sites sent via text his messages, a technique called smishing. Late last year, the attacker incorporated her DNS hijack into its operations in the Asian country.

Infection flow through DNS hijacking and smishing.
Expanding / Infection flow through DNS hijacking and smishing.

Known in the security industry as Roaming Mantis, the attacker designed the DNS hijacking to work only when the device visited the mobile version of the spoofed website, ensuring that the campaign went undetected.

The threat is serious, but it has one big drawback: HTTPS. A Transport Layer Security (TLS) certificate that serves as the foundation for HTTPS binds a domain name, such as ArsTechnica.com, to a private cryptographic key known only to the site operator. Using modern browsers, users directed to a malicious site impersonating Ars Technica will receive a warning that the connection is not secure or be asked to accept a self-signed certificate. This should never be followed by users.

Another way to combat this threat is to change the password protecting the router’s administrator account from the default to a strong password.

Still, not everyone is familiar with these best practices, and you may end up visiting a malicious site that looks almost identical to the legitimate site you are trying to visit.

“Users with infected Android devices who connect to free or public Wi-Fi networks can spread malware to other devices on the network if the Wi-Fi networks they connect to are vulnerable. ‘ said Thursday’s report. “Kaspersky experts are concerned that the DNS changer could be used to target other regions and cause significant problems.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *