Home Malware Programs Potentially Unwanted Programs (PUPs) GhostDNS


Posted: October 3, 2018

GhostDNS is a router-hijacking campaign that can redirect its victims' Web browsers to threatening copycat sites from legitimate domains. Currently, its threat actors are limiting the scope of the campaign to targeting Brazilian banking customers. Users should double-check their routers' DNS settings and re-secure the relevant login credentials. Although this campaign doesn't compromise personal computers directly, any exposure to the associated, corrupted domains may do so, and victims should analyze their PCs with anti-malware software while taking the steps for removing the GhostDNS's router changes.

A Haunting for the Brazilian Bank Clientele

Brazil's reputation as being a hotspot for threat actors with interests in the banking sector is in no danger of becoming obsolete, as a new string of attacks bearing strong strategic similarities to the old DNS Changer campaign gets confirmation through multiple sources. The so-dubbed GhostDNS campaign includes four components, none of which infect the PCs of the victims in question directly. Instead, the threat actor hijacks Web-browsing traffic through vulnerable routers, giving bank clients a disguised pathway to harmful phishing domains.

Initial analyses from malware researchers divide the GhostDNS campaign's software architecture into multiple modules. These segments are an administrative panel for the threat actors, a component that includes three sub-modules for different methods of infecting different brands of routers (including both abusing built-in software vulnerabilities and brute-force techniques), another that handles resolving any traffic to the domains that GhostDNS is targeting, and a final one that serves a targeted copycat or hoax website. While the threat actors could target nearly any kind of Web-browsing traffic, the GhostDNS campaign focuses on Brazilian banking sites, some cloud hosting services, and a minority of cyber-security domains, such as the Avira's website.

Victims browsing the Web with a compromised router will have their traffic monitored for any access to the above sites. When they try to load such a domain, GhostDNS redirects the browser to a semi-identical site that the threat actors design for collecting account credentials, such as login names and passwords. Since malware researchers note no other symptoms in such attacks, the user may never realize the hijacking until after observing the consequences, such as money transfers from their bank accounts.

Putting Ghosts of Old Digital Bank Heists to Rest

While none of GhostDNS's modules are one-to-one copies of any old threats, the techniques that its authors are using aren't very different from those of the DNS Changer. Older attacks with similar motives, sometimes, made use of spam e-mails targeting individuals with disguised, corrupted attachments or links. However, GhostDNS uses less direct infection tactics: brute-forcing easily-guessable logins on routers, as well as abusing unpatched software vulnerabilities. Appropriate defenses that malware experts recommend for being particularly relevant against the GhostDNS campaign include:

  • Change your router's password to a secure, non-default one.
  • Make sure that your router is running the latest available security patches.
  • Deactivate any remote admin features that could let criminals access and modify the device remotely.
  • Advanced users also may consider setting up a hard-coded DNS configuration that the threat actors can't hijack.

By itself, GhostDNS represents a threat to your router and Web-browsing experience, but not to your computer. Users should consider scanning their PCs with anti-malware solutions while removing GhostDNS's components and settings changes, however, due to the risk that always comes when loading unsafe websites. They also should change any misappropriate passwords, especially for Brazilian banking accounts.

What comes for Brazilian finance is often an opening salvo that tests the viability of banking Trojans, browser hijackers, and other threats for deployment around the world. For now, GhostDNS is, mostly, a problem for Brazil, but the only thing stopping that from changing is the criminals who are in charge of the campaign.