{"id":5997,"date":"2021-02-04T09:57:10","date_gmt":"2021-02-04T17:57:10","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5997"},"modified":"2024-04-26T13:20:56","modified_gmt":"2024-04-26T20:20:56","slug":"ghostdns-campaign-targets-brazilian-banks-and-customers","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ghostdns-campaign-targets-brazilian-banks-and-customers\/","title":{"rendered":"GhostDNS Campaign Targets Brazilian Banks and Customers"},"content":{"rendered":"

Author: Yadu Nadh<\/strong>
\nTLP: WHITE<\/strong>
\n <\/p>\n

Overview<\/h3>\n

On 26 January, Team Cymru posted an update to their analysis of the GhostDNS exploit kit.1,2<\/sup> Their report detailed an ongoing GhostDNS campaign that targets unsuspecting users by compromising and changing the DNS of their router to deliver phishing websites. NetLab has also reported on this campaign.3<\/sup><\/p>\n

Customer Impact<\/h3>\n

GhostDNS is an exploit kit that threat actors can use to change DNS settings to route victim requests for certain websites to phishing pages on malicious servers.4<\/sup> Requests for other sites use a secondary, usually public, server such as Google\u2019s public DNS server. This feature allows threat actors to avoid detection for long periods of time.<\/p>\n

Campaign Analysis<\/h3>\n

This campaign targets more than 70 different types of routers with weak passwords or unpatched vulnerabilities to redirect victims to phishing websites that steal user credentials. The threat actor appears to be targeting Brazilian banks located in Brazil and Argentina, and their customers.<\/p>\n

Attack Chain<\/h3>\n

In this campaign, the threat actor scans the internet for vulnerable routers and uses known vulnerabilities or guesses passwords to gain access. They may also bypass the authentication through the dnscfg.cgi<\/em> exploit.<\/p>\n

Once they have gained access, the threat actor then changes the router\u2019s DNS configurations to an actor-controlled Rogue DNS server via the DNS configuration interface.<\/p>\n

When the victim queries a specific domain, the Rogue DNS server redirects them to a phishing domain that the actor can use to steal the victim\u2019s credentials or lure them into downloading and executing malware. <\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

This campaign targets routers that are misconfigured or unpatched. Infoblox recommends the following actions to reduce the risk of this type of infection: <\/p>\n