GhostDNS Exploit Kit Source Code Lands Up in the Hands of Security Researchers

What happened?

• The source code of GhostDNS exploit kit and several phishing pages were compressed in a RAR archive uploaded to a file-sharing platform by an attacker.
• While trying to dowload it, one attacker forgot to disable the Avast Web Shield component of the Avast antivirus installed on their device.
• This allowed the Avast web protection technology to detect and analyze the router exploit kit as the archive file was not password-protected.

So what?

• The Avast Threat Intelligence Team downloaded the archive file named ‘KL DNS.rar’ and delineated the functionality of GhostDNS.
• The name of the file indicates that the tool uses DNS hijacking and keylogging to gather critical information from its victims.
• Two methods for attacking routers, Router EK and BRUT, were found in the archive file. Both methods involve the use of CSRF requests to alter DNS‌ settings on a targeted device.

But wait, there’s more!

• While the Router exploit kit (EK) preys on devices in the local network to trick users into clicking on a malicious link, BRUT is a mass scanner that attacks routers exposed on the public internet.
• It was found that in some versions of the kit, a banner was displayed to inform the attacker that the CSRF request has been executed.
• If the login information is found, the GhostDNS operation stops, and the phishing pages start their job.
• With Brazil at the top, South America, the US, Australia, and Germany are among the most targeted countries.

Point to note