In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet Explorer, Firefox...).
A try with Android did not give better result. Trying with Chrome I was expecting a "Browlock" ransomware but instead I got what looks like a CSRF (Cross-Site Request Forgery) Soho Pharming (a router DNS changer)
The code ( http://pastebin.com/raw.php?i=TsEUAJtq ) was easy to read. The DNS written in clear, some exploits. I decided not to look in details.
But when i faced those redirections one month later, there was many improvement including some obfuscation.
The traffic brought to it when active is a 6 figure one
1 Week of traffic to the "router Exploit Kit" |
Geo Repartition of the Chrome traffic 2015-05-16 |
With my first pass I only got those call :
Router EK - Dodged client : reason bad network configuration 2015-05-12 |
RouterBF - Landing - 2015-05-12 featuring some CryptoJS AES encoding |
GET http://ngwblnlfmvjazwf17swal1tn5qqjbx.informationdrommers .xyz:81/track/e_x.js
200 OK (application/javascript)
is the implementation of Daniel Roesler's webrtc-ips which allow local and public IP adresses gathering via STUN requests. (Demo proposed by @diafygi)
STUN calls generated by the "Router EK" captured in Wireshark 2015-05-18 (note: that pass was successfull - cf local IP range) |
Decoded piece of the landing. We can see some router fingerprinting by image path and size. Some IP range condition (otherwise redirect to : "about:blank" |
Landing was smaller, some AES encoded strings were moved to separated calls :
/stat/dnd.php
/stat/gcd.php?l=1
Here is the list on the 2015-05-18 :
ASUS AC68U
ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12
ASUS-RTG32
BELK-PHILIPS (?)
BELKIN F5D7230-4
BELKIN F5D8236-4V2
BELKIN F9k1105V2
BELKIN-F5D7231-4
BELKIN-F5D7234-4
D'LINK DIR-600
D'LINK DIR-604
D'LINK DIR-645
D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760
D'LINK DSLG604T
D'LINK-DIR-2740R
EDIMAX BR6208AC
LINKSYS BEFW11S4 V4
LINKSYS L120
LINKSYS WRT54GSV7
LINKSYS-BEFW11S4 V4
LINKSYS-LWRT54GLV4
LINKSYS-WRT54GV8
LINKSYS-X3000
LINSYS L000
Medialink WAPR300N
Microsoft MN-500
NETGEAR DGN1000B & DG834v3 & DGN2200
NETGEAR WNDR3400
NETGEAR-DGN1000 & NETGEAR-DGN2200
NETGEAR-WNR834Bv2
NETGEAR-WPN824v3
NETIS WF2414
Netis WF2414
TENDA 11N
TPLI ALL
TPLI-WR940N & WR941ND & WR700
TRENDNET E300-150
TRIP-TM01
TRIP-TM04
Trendnet TW100S4W1CA
ZYXEL MVR102
ZYXEL NBG416
ZYXEL-NBG334W
https://github.com/muaz-khan/DetectRTC/blob/master/DetectRTC.js
Data gathered by the KIT via DetectRTC |
Example of DetectRTC result reply before encoding and passed as parameter |
With those information on how to get attacked, I moved the VM to an "accepted" IP-range and faked owning a targeted router :
DNSChanger EK tricking Chrome to exploit a D'LINK (CVE-2015-1187) then change DNS (to 185.82.216.86) and reboot |
Knowing CVE-2015-1187 has been released on 2015-03-02 i guess this attack is pretty effective ( the % of router updated in the past two months is probably really low)
Here is the code sent in an AES encoded form for the D'LINK attack
D'LINK attack instructions - 2015-05-18 |
(note that Router are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for router this might still be relevant), CVE-2013-2645 might be here as well. We can bet there are a lot more buried in the post commands dedicated to some of the models.
I made a pass for some Linksys :
The DNSChanger EK trying to perform a dictionnary attack on a LinkSys WRT54G 2015-05-18 |
For the Microsoft MN500 :
A Router EK trying to perform a bruteforce attack on a Microsoft MN500 2015-05-18 |
I made another pass today, and saw an additionnal call :
A router EK 2015-05-22 - one more call, another DNS Server. |
DNS are now changed to : 217.12.202.93 (previously it was : 185.82.216.86, and earlier 37.139.50.45 - quite surely some others have been used ). Always Google DNS as failover to avoid raising alarm if something goes wrong with the first IP.
We know they can do : bank/webmoney MITM, phishing, adfraud etc...but to the question : "what are they doing ?"... I have no reply yet (if you figure out, i'd be more than happy to get a mail :) )
ThanksWill Metcalf (Emerging Threats) for his help.
Files :RouterBF_2015-05-22.zip (5 fiddlers, some piece of decoded js)
Read more :
Large-scale DNS redirection on home routers for financial theft - 2014-02-06 - Cert-PL
[PDF] : Soho Pharming 2013 - Team Cymru's TIG
[PDF Whitepaper]: Drive-By Pharming - 2006-12-13 - Sid Stamm (Indiana University, Bloomington) - Zulfikar Ramzan (symantec) - Markus Jakobsson (Indiana University, Bloomington)