Cyber Threats
Exploit Kit "Novidade" Found Targeting Home Routers
Analysis of the Novidade exploit kit that targets routers by changing their DNS settings via cross-site request forgery, enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.
We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server.
The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns. One possibility is that the exploit kit tool was either sold to multiple groups or the source code was leaked, allowing threat actors to use the kit or create their own variations. Most of the campaigns we discovered used phishing attacks to retrieve banking credentials in Brazil. However, we also recently found campaigns with no specific target geolocation, suggesting that either the attackers are expanding their target areas, or a larger number of threat actors are using it.
We named the exploit kit Novidade, which means "novelty" in Portuguese, due to the title string “Novidade!” on the webpages of all the current variants.
Infection Chain
Figure 1. Novidade infection chain
We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers. Once the victim receives and clicks the link to Novidade, the landing page will initially perform several HTTP requests generated by JavaScript Image function to a predefined list of local IP address that are mostly used by routers. If a connection is successfully established, Novidade will query the detected IP address to download a corresponding exploit payload, which is encoded Base64. Novidade will then blindly attack the detected IP address with all its exploits. This is followed by an attempt to try and log into the router with a set of default account names and passwords, after which a CSRF attack will be executed in order to change the original DNS server to the attacker’s DNS server. Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.
Figure 2. An example of how Novidade is being delivered via instant messages
The example below is typical for the most cases observed using Novidade. In this scenario, the injected DNS server will resolve an IP address hosting a fake banking website if a user tries to connect to a targeted bank domain.
Figure 3. Example of traffic from a Novidade attack showing the malvertising method (click to view a larger version of the image)
One kit, three variants
We found three variants of Novidade, all of which share the same attack approach described above. However, the newer versions improve on the initial variant. The first version, which was found in the wild as early as August 2017, is the most basic version of the exploit kit that saw the most use during early campaigns. The second version has a similar code structure and adds a runtime JavaScript obfuscator to make the landing page look different depending on the attack. The JavaScript sub-module of GhostDNS is the second version of the Novidade exploit kit. The third variant retains the JavaScript obfuscator but refines the code on the landing page and adds a new feature to retrieve the victim’s local IP address by making requests to STUN servers with WebRTC. This technique was also employed by previous exploit kits such as Router. The third variant also allows attackers to embed a shortened URL link on their landing page, which is not used for redirection but rather to track attack statistics.
Current campaigns use both the second and third versions of Novidade in the wild.
Version 1 | Version 2 | Version 3 | |
Router CSRF Attack | X | X | X |
External IP Address Detection | X | ||
Runtime JavaScript Obfuscation | X | X | |
WebRTC STUN Request | X | ||
Shortened URL Statistic Tracker | X | ||
File Structure | index2.html api.ipaddress.php api.init.php | index.php index2.php api.init.php | index.php addon.js inc.php |
Local IP Address Scan List | 10.0.0.1 10.0.0.2 10.0.0.3 10.1.1.1 10.0.0.138 192.168.0.1 192.168.1.1 192.168.1.2 192.168.1.254 192.168.2.1 192.168.25.1 192.168.100.1 192.168.254.254 | 10.0.0.1 192.168.0.1 192.168.1.1 192.168.2.1 192.168.15.1 192.168.25.1 192.168.100.1 | 10.0.0.1 192.168.0.1 192.168.1.1 192.168.2.1 192.168.5.248 192.168.15.1 192.168.25.1 192.168.100.1 |
Table 1. Comparing the three Novidade variants
The non-exhaustive list below includes possible affected router models based on our comparisons of the malicious code, network traffic, and published PoC code. Some of the router models were also included by Netlab 360 in a blog post on GhostDNS back in September 2018.
- A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
- D-Link DSL-2740R
- D-Link DIR 905L
- Medialink MWN-WAPR300 (CVE-2015-5996)
- Motorola SBG6580
- Realtron
- Roteador GWR-120
- Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
- TP-Link TL-WR340G / TL-WR340GD
- TP-Link WR1043ND V1 (CVE-2013-2645)
Examining the Novidade campaigns
We found several campaigns using Novidade to attack routers. A large number of these campaigns target Brazilian users, delivering the kit via malvertising attacks to steal banking information. Using the shortened URL link embedded in Novidade to track statistics, we discovered that the largest campaign has delivered the exploit kit 24 million times since March. In September and October, we also found two campaigns using different ways to deliver Novidade.
The first campaign used notifications on instant messengers regarding the 2018 Brazil presidential election as a lure. The malicious page is displayed as a normal survey on the election candidates. However, Novidade was also injected into the page. This attack proved to be especially devious, as Novidade attacked the victim’s router while they were filling out the survey.
This is immediately followed by a request for the victims to share the survey website to 30 people via instant messenger to receive the results of the candidate survey. Once a router is compromised, it will change the DNS server to 144[.]217[.]24[.]233. Unfortunately, we were unable to check the domain targeted in the pharming attack as the DNS server was already being shut down during the time we were able to analyze it.
Figure 4. Fake presidential election survey with an embedded Novidade exploit kit. The question at the bottom part asks if the recipient has already participated in election research
We observed another campaign starting in late October 2018 after we noticed multiple compromised websites being injected with an iframe that was redirecting people to Novidade. In this instance, we saw that the campaign injected their attack into websites in other countries, and not just in Brazil like before. The DNS setting of the compromised router is changed to a malicious DNS server at 108[.]174[.]198[.]177, which will resolve to an IP address (107[.]155[.]132[.]183) of a phishing web server whenever the victim accesses the “google.com” domain. Once the victim accesses the targeted domain, they will instead see a social engineering page that asks the victim to download and install a software. We were unable to verify what kind of software was actually delivered since the download link was no longer available. However, it is likely a malware or potentially unwanted application since the technique used has been done many times before.
Figure 5. Source code of a compromised website with an injected hidden iframe that redirects the victim to the Novidade exploit kit
Figure 6. The fake software download
Recommendations and best practices
To defend against exploit kits like Novidade, we recommend that users always upgrade their device's firmware to the latest version. Default usernames and passwords are a highly common gateway for exploits, thus it is also important to use strong passwords on all user accounts. It is also recommended to change the router’s default IP address, as well as disable remote access features to minimize the chances for an attacker to externally manipulate the device. Finally, users should always use secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.
Trend Micro Solutions
Trend Micro endpoint solutions such as Trend Micro Security, Smart Protection Suites, and Worry-Free Business Security can protect users and businesses from this threat by blocking all related malicious URLs and detecting the malicious files. Trend Micro Mobile Security Personal Edition and Mobile Security Solutions also block all related malicious URLs that are used in attacks such as Novidade.
Trend Micro Smart Home Network™ customers are protected from particular vulnerabilities via these rules:
- 1130410,WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability
- 1131093,WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability
Indicators of Compromise (IOCs)
IoC | Details |
globo[.]jelastic[.]servint[.]net | Novidade exploit kit domain |
landpagebrazil[.]whelastic[.[net | Novidade exploit kit domain |
light[.]jelastic[.]servint[.]net | Novidade exploit kit domain |
52[.]47[.]94[.]175 | Novidade exploit kit IP address |
pesquisaeleitoral2018[.]online | Social Engineering Domain |
pesquisaparapresidente[.]online | Social Engineering Domain |
108[.]174[.]198[.]177 | Malicious DNS server |
144[.]217[.]24[.]233 | Malicious DNS server |
172[.]245[.]14[.]114 | Malicious DNS server |
192[.]3[.]178[.]178 | Malicious DNS server |
192[.]3[.]190[.]114 | Malicious DNS server |
192[.]3[.]8[.]186 | Malicious DNS server |
198[.]23[.]140[.]10 | Malicious DNS server |
198[.]46[.]131[.]130 | Malicious DNS server |
23[.]94[.]149[.]242 | Malicious DNS server |
23[.]94[.]190[.]242 | Malicious DNS server |
23[.]95[.]82[.]42 | Malicious DNS server |
107[.]155[.]132[.]183 | Pharming web server |
178[.]159[.]36[.]75 | Pharming web server |
91[.]234[.]99[.]242 | Pharming web server |