2015-05-22 - Landscape

An Exploit Kit dedicated to CSRF Pharming




In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet Explorer, Firefox...).

A try with Android did not give better result. Trying with Chrome I was expecting a "Browlock" ransomware but instead I got what looks like a CSRF (Cross-Site Request Forgery) Soho Pharming  (a router DNS changer)

The code ( http://pastebin.com/raw.php?i=TsEUAJtq )  was easy to read. The DNS written in clear, some exploits. I decided not to look in details.

But when i faced those redirections one month later, there was many improvement including some obfuscation.

The traffic brought to it when active is a 6 figure one

1 Week of traffic to the "router Exploit Kit"

Geo Repartition of the Chrome traffic 2015-05-16

With my first  pass I only got those call :

Router EK - Dodged client : reason bad network configuration
2015-05-12
The landing is calling CryptoJS AES encoding.

RouterBF - Landing - 2015-05-12
featuring some CryptoJS AES encoding
This call :

GET http://ngwblnlfmvjazwf17swal1tn5qqjbx.informationdrommers .xyz:81/track/e_x.js
200 OK (application/javascript)

is the implementation of Daniel Roesler's webrtc-ips which allow local and public IP adresses gathering via STUN requests. (Demo proposed by @diafygi)

STUN calls generated by the "Router EK" captured in Wireshark
2015-05-18
(note: that pass was successfull - cf local IP range)
Once decoded the AES encoded piece of code was like :
Decoded piece of the landing.
We can see some router fingerprinting by image path and size.
Some IP range condition (otherwise redirect to : "about:blank"
Few days later the code moved again

Landing was smaller, some AES encoded strings were moved to separated calls :
/stat/dnd.php
/stat/gcd.php?l=1

The router list was improved :

more than 55 routers from a dozen of brands
Here is the list on the 2015-05-18 :

ASUS AC68U
ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12
ASUS-RTG32
BELK-PHILIPS (?)
BELKIN F5D7230-4
BELKIN F5D8236-4V2
BELKIN F9k1105V2
BELKIN-F5D7231-4
BELKIN-F5D7234-4
D'LINK DIR-600
D'LINK DIR-604
D'LINK DIR-645
D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760
D'LINK DSLG604T
D'LINK-DIR-2740R 
EDIMAX BR6208AC
LINKSYS BEFW11S4 V4
LINKSYS L120
LINKSYS WRT54GSV7
LINKSYS-BEFW11S4 V4
LINKSYS-LWRT54GLV4
LINKSYS-WRT54GV8
LINKSYS-X3000
LINSYS L000
Medialink WAPR300N
Microsoft MN-500
NETGEAR DGN1000B & DG834v3 & DGN2200
NETGEAR WNDR3400
NETGEAR-DGN1000 & NETGEAR-DGN2200
NETGEAR-WNR834Bv2
NETGEAR-WPN824v3 
NETIS WF2414
Netis WF2414
TENDA 11N
TPLI ALL
TPLI-WR940N & WR941ND & WR700
TRENDNET E300-150
TRIP-TM01 
TRIP-TM04
Trendnet TW100S4W1CA
ZYXEL MVR102
ZYXEL NBG416
ZYXEL-NBG334W


New features to detect devices on the client machine and fingerprint it using a fork of this script :
https://github.com/muaz-khan/DetectRTC/blob/master/DetectRTC.js

Data gathered by the KIT via DetectRTC


Example of DetectRTC result reply before encoding and passed as parameter


With those information on how to get attacked, I moved the VM to an "accepted" IP-range and faked owning a targeted router :

DNSChanger EK tricking Chrome to exploit a D'LINK (CVE-2015-1187) then change DNS
(to 185.82.216.86)
 and reboot


Knowing CVE-2015-1187  has been released on 2015-03-02 i guess this attack is pretty effective ( the % of router updated  in the past two months is probably really low)


Here is the code sent in an AES encoded form for the D'LINK attack

D'LINK attack instructions - 2015-05-18
Looking at the code it seems we can say CVE-2008-1244 is there.
(note that Router are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for router this might still be relevant), CVE-2013-2645 might be here as well. We can bet there are a lot more buried in the post commands dedicated to some of the models.

I made a pass for some Linksys :

The DNSChanger EK  trying to perform a dictionnary attack on a LinkSys WRT54G
2015-05-18

For the Microsoft MN500 :
A Router EK  trying to perform a bruteforce attack on a Microsoft MN500
2015-05-18
2 more (Asus and Edimax) are shared at the end

I made another pass today, and saw an additionnal call :

A router EK 2015-05-22 - one more call, another DNS Server.


DNS are now changed to : 217.12.202.93 (previously it was :  185.82.216.86, and earlier 37.139.50.45 - quite surely some others have been used ). Always Google DNS as failover to avoid raising alarm if something goes wrong with the first IP.

We know they can do : bank/webmoney MITM, phishing, adfraud etc...but to the question : "what are they doing ?"... I have no reply yet (if you figure out, i'd be more than happy to get a mail :) )

[Edit : 2015-05-26]
If you think you might be compromised and don't know exactly how to figure out, you can give
 -  RouterCheck (Android App)
 -  F-Secure Router Checker (Web)
a try.
If you are aware of other "easy" methods to do it, feel free to share i'll report it here
]

Thanks Will Metcalf (Emerging Threats) for his help.

Files : RouterBF_2015-05-22.zip (5 fiddlers, some piece of decoded js)

Read more :
Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics - 2015-03-25 - Sergei Frankoff - Sentrant
Large-scale DNS redirection on home routers for financial theft - 2014-02-06 - Cert-PL
[PDF] : Soho Pharming 2013 - Team Cymru's TIG
[PDF Whitepaper]: Drive-By Pharming - 2006-12-13 - Sid Stamm (Indiana University, Bloomington) - Zulfikar Ramzan (symantec) - Markus Jakobsson (Indiana University, Bloomington)