Brazilian banks and corporations were targeted by a massive 100,000-strong botnet

• The operator of the botnet, called GhostDNS, is capable of targeting over 70 different routers.
• Around 88% of compromised routers are located in Brazil.

A massive botnet campaign targeting corporations and banks in Brazil successfully hijacked over 100,000 devices. The campaign involves attackers compromising routers with weak passwords, and modifying their DNS settings to redirect users to phishing sites.

Security researchers at Netlab 360 discovered that only those users attempting access the online banking sites of Brazilian banks were being redirected to phishing sites. The campaign was first detected by researchers at Radware in August.

“Unique about this approach is that the hijacking is performed without any interaction from the user,” Radware researchers said in their blog. “The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.”

Modus operandi

The campaign is currently still active, and according to Netlab researchers, the cybercriminals behind the campaign are scanning the internet for Brazilian routers with weak or no passwords. Once the vulnerable routers have been hijacked, the routers’ legitimate DNS setting is replaced with the IP addresses of the DNS servers controlled by the attackers.

Researchers also discovered that the victims attempting to access the online banking sites of Brazilian banks were redirected to one of 52 malicious sites, that allowed the attackers to steal the victims’ banking credentials.

“Based on the logs of GhostDNS from 09-21 to 09-27, we have observed 100k+ infected router IP addresses (87.8% located in Brazil), involving 70+ router/firmwares. Due to the dynamic updates of router IP address, the actual number of infected devices should be slightly different.”

The operator of the botnet, called GhostDNS, is capable of targeting over 70 different routers. Netlab researchers said that they have notified organizations compromised by the botnet of the ongoing campaign.