2015-05-22 - Landscape

An Exploit Kit dedicated to CSRF Pharming

In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet Explorer, Firefox...).

A try with Android did not give better result. Trying with Chrome I was expecting a "Browlock" ransomware but instead I got what looks like a CSRF (Cross-Site Request Forgery) Soho Pharming (a router DNS changer)

The code ( http://pastebin.com/raw.php?i=TsEUAJtq ) was easy to read. The DNS written in clear, some exploits. I decided not to look in details.

But when i faced those redirections one month later, there was many improvement including some obfuscation.

The traffic brought to it when active is a 6 figure one

1 Week of traffic to the "router Exploit Kit"

Geo Repartition of the Chrome traffic 2015-05-16

With my first pass I only got those call :

Router EK - Dodged client : reason bad network configuration
2015-05-12

The landing is calling CryptoJS AES encoding.

RouterBF - Landing - 2015-05-12
featuring some CryptoJS AES encoding

This call :

GET http://ngwblnlfmvjazwf17swal1tn5qqjbx.informationdrommers .xyz:81/track/e_x.js
200 OK (application/javascript)

is the implementation of Daniel Roesler's webrtc-ips which allow local and public IP adresses gathering via STUN requests. (Demo proposed by @diafygi)

STUN calls generated by the "Router EK" captured in Wireshark
2015-05-18
(note: that pass was successfull - cf local IP range)

Once decoded the AES encoded piece of code was like :

Decoded piece of the landing.
We can see some router fingerprinting by image path and size.
Some IP range condition (otherwise redirect to : "about:blank"

Few days later the code moved again

Landing was smaller, some AES encoded strings were moved to separated calls :
/stat/dnd.php
/stat/gcd.php?l=1

The router list was improved :

more than 55 routers from a dozen of brands

Here is the list on the 2015-05-18 :

ASUS AC68U

ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12

ASUS-RTG32

BELK-PHILIPS (?)

BELKIN F5D7230-4

BELKIN F5D8236-4V2

BELKIN F9k1105V2

BELKIN-F5D7231-4

BELKIN-F5D7234-4

D'LINK DIR-600

D'LINK DIR-604

D'LINK DIR-645

D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760

D'LINK DSLG604T

D'LINK-DIR-2740R

EDIMAX BR6208AC

LINKSYS BEFW11S4 V4

LINKSYS L120

LINKSYS WRT54GSV7

LINKSYS-BEFW11S4 V4

LINKSYS-LWRT54GLV4

LINKSYS-WRT54GV8

LINKSYS-X3000

LINSYS L000

Medialink WAPR300N

Microsoft MN-500

NETGEAR DGN1000B & DG834v3 & DGN2200

NETGEAR WNDR3400

NETGEAR-DGN1000 & NETGEAR-DGN2200

NETGEAR-WNR834Bv2

NETGEAR-WPN824v3

NETIS WF2414

Netis WF2414

TENDA 11N

TPLI ALL

TPLI-WR940N & WR941ND & WR700

TRENDNET E300-150

TRIP-TM01

TRIP-TM04

Trendnet TW100S4W1CA

ZYXEL MVR102

ZYXEL NBG416

ZYXEL-NBG334W

New features to detect devices on the client machine and fingerprint it using a fork of this script :
https://github.com/muaz-khan/DetectRTC/blob/master/DetectRTC.js

Data gathered by the KIT via DetectRTC

Example of DetectRTC result reply before encoding and passed as parameter

With those information on how to get attacked, I moved the VM to an "accepted" IP-range and faked owning a targeted router :

DNSChanger EK tricking Chrome to exploit a D'LINK (CVE-2015-1187) then change DNS
(to 185.82.216.86)
and reboot

Knowing CVE-2015-1187 has been released on 2015-03-02 i guess this attack is pretty effective ( the % of router updated in the past two months is probably really low)

Here is the code sent in an AES encoded form for the D'LINK attack

D'LINK attack instructions - 2015-05-18

Looking at the code it seems we can say CVE-2008-1244 is there.
(note that Router are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for router this might still be relevant), CVE-2013-2645 might be here as well. We can bet there are a lot more buried in the post commands dedicated to some of the models.

I made a pass for some Linksys :

The DNSChanger EK trying to perform a dictionnary attack on a LinkSys WRT54G
2015-05-18

For the Microsoft MN500 :

A Router EK trying to perform a bruteforce attack on a Microsoft MN500
2015-05-18

2 more (Asus and Edimax) are shared at the end

I made another pass today, and saw an additionnal call :

A router EK 2015-05-22 - one more call, another DNS Server.

DNS are now changed to : 217.12.202.93 (previously it was : 185.82.216.86, and earlier 37.139.50.45 - quite surely some others have been used ). Always Google DNS as failover to avoid raising alarm if something goes wrong with the first IP.

We know they can do : bank/webmoney MITM, phishing, adfraud etc...but to the question : "what are they doing ?"... I have no reply yet (if you figure out, i'd be more than happy to get a mail :) )

[Edit : 2015-05-26]
If you think you might be compromised and don't know exactly how to figure out, you can give
- RouterCheck (Android App)
- F-Secure Router Checker (Web)
a try.
If you are aware of other "easy" methods to do it, feel free to share i'll report it here
]

Thanks Will Metcalf (Emerging Threats) for his help.

Files : RouterBF_2015-05-22.zip (5 fiddlers, some piece of decoded js)

Read more :
Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics - 2015-03-25 - Sergei Frankoff - Sentrant
Large-scale DNS redirection on home routers for financial theft - 2014-02-06 - Cert-PL
[PDF] : Soho Pharming 2013 - Team Cymru's TIG
[PDF Whitepaper]: Drive-By Pharming - 2006-12-13 - Sid Stamm (Indiana University, Bloomington) - Zulfikar Ramzan (symantec) - Markus Jakobsson (Indiana University, Bloomington)