In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet Explorer, Firefox...).
A try with Android did not give better result. Trying with Chrome I was expecting a "Browlock" ransomware but instead I got what looks like a CSRF (Cross-Site Request Forgery) Soho Pharming (a router DNS changer)
The code ( http://pastebin.com/raw.php?i=TsEUAJtq ) was easy to read. The DNS written in clear, some exploits. I decided not to look in details.
But when i faced those redirections one month later, there was many improvement including some obfuscation.
The traffic brought to it when active is a 6 figure one
|1 Week of traffic to the "router Exploit Kit"|
|Geo Repartition of the Chrome traffic 2015-05-16|
With my first pass I only got those call :
|Router EK - Dodged client : reason bad network configuration|
|RouterBF - Landing - 2015-05-12|
featuring some CryptoJS AES encoding
GET http://ngwblnlfmvjazwf17swal1tn5qqjbx.informationdrommers .xyz:81/track/e_x.js
is the implementation of Daniel Roesler's webrtc-ips which allow local and public IP adresses gathering via STUN requests. (Demo proposed by @diafygi)
|STUN calls generated by the "Router EK" captured in Wireshark|
(note: that pass was successfull - cf local IP range)
|Decoded piece of the landing.|
We can see some router fingerprinting by image path and size.
Some IP range condition (otherwise redirect to : "about:blank"
Landing was smaller, some AES encoded strings were moved to separated calls :
Here is the list on the 2015-05-18 :
ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12
D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760
LINKSYS BEFW11S4 V4
NETGEAR DGN1000B & DG834v3 & DGN2200
NETGEAR-DGN1000 & NETGEAR-DGN2200
TPLI-WR940N & WR941ND & WR700
New features to detect devices on the client machine and fingerprint it using a fork of this script :
|Data gathered by the KIT via DetectRTC|
|Example of DetectRTC result reply before encoding and passed as parameter|
With those information on how to get attacked, I moved the VM to an "accepted" IP-range and faked owning a targeted router :
|DNSChanger EK tricking Chrome to exploit a D'LINK (CVE-2015-1187) then change DNS|
Knowing CVE-2015-1187 has been released on 2015-03-02 i guess this attack is pretty effective ( the % of router updated in the past two months is probably really low)
Here is the code sent in an AES encoded form for the D'LINK attack
|D'LINK attack instructions - 2015-05-18|
(note that Router are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for router this might still be relevant), CVE-2013-2645 might be here as well. We can bet there are a lot more buried in the post commands dedicated to some of the models.
I made a pass for some Linksys :
|The DNSChanger EK trying to perform a dictionnary attack on a LinkSys WRT54G|
For the Microsoft MN500 :
|A Router EK trying to perform a bruteforce attack on a Microsoft MN500|
I made another pass today, and saw an additionnal call :
|A router EK 2015-05-22 - one more call, another DNS Server.|
DNS are now changed to : 188.8.131.52 (previously it was : 184.108.40.206, and earlier 220.127.116.11 - quite surely some others have been used ). Always Google DNS as failover to avoid raising alarm if something goes wrong with the first IP.
We know they can do : bank/webmoney MITM, phishing, adfraud etc...but to the question : "what are they doing ?"... I have no reply yet (if you figure out, i'd be more than happy to get a mail :) )
[Edit : 2015-05-26]
If you think you might be compromised and don't know exactly how to figure out, you can give
- RouterCheck (Android App)
- F-Secure Router Checker (Web)
If you are aware of other "easy" methods to do it, feel free to share i'll report it here
Thanks Will Metcalf (Emerging Threats) for his help.
Files : RouterBF_2015-05-22.zip (5 fiddlers, some piece of decoded js)
Read more :
Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics - 2015-03-25 - Sergei Frankoff - Sentrant
Large-scale DNS redirection on home routers for financial theft - 2014-02-06 - Cert-PL
[PDF] : Soho Pharming 2013 - Team Cymru's TIG
[PDF Whitepaper]: Drive-By Pharming - 2006-12-13 - Sid Stamm (Indiana University, Bloomington) - Zulfikar Ramzan (symantec) - Markus Jakobsson (Indiana University, Bloomington)
CVE-2015-1187 CVE-2013-2645 DNSChanger EK Router SOHO CSRF Pharming CVE-2008-1244