GhostDNS Exploit Kit Source Code Lands Up in the Hands of Security Researchers

Router exploit kits are gaining popularity in the hacker world. One such exploit kit is GhostDNS, which uses cross-site request forgery (CSRF) requests to alter the DNS settings and direct users to phishing pages to steal their login credentials. Recently, the source code of the Ghost DNS exploit kit was leaked due to a mistake by the attackers.

What happened?

  • The source code of GhostDNS exploit kit and several phishing pages were compressed in a RAR archive uploaded to a file-sharing platform by an attacker.
  • While trying to dowload it, one attacker forgot to disable the Avast Web Shield component of the Avast antivirus installed on their device.
  • This allowed the Avast web protection technology to detect and analyze the router exploit kit as the archive file was not password-protected.

So what?

  • The Avast Threat Intelligence Team downloaded the archive file named ‘KL DNS.rar’ and delineated the functionality of GhostDNS.
  • The name of the file indicates that the tool uses DNS hijacking and keylogging to gather critical information from its victims.
  • Two methods for attacking routers, Router EK and BRUT, were found in the archive file. Both methods involve the use of CSRF requests to alter DNS‌ settings on a targeted device.

But wait, there’s more!

  • While the Router exploit kit (EK) preys on devices in the local network to trick users into clicking on a malicious link, BRUT is a mass scanner that attacks routers exposed on the public internet.
  • It was found that in some versions of the kit, a banner was displayed to inform the attacker that the CSRF request has been executed.
  • If the login information is found, the GhostDNS operation stops, and the phishing pages start their job.
  • With Brazil at the top, South America, the US, Australia, and Germany are among the most targeted countries.

Point to note

Employing CSRF attacks is a conventional way to manipulate DNS settings and direct users to phishing sites. Such attacks are prevalent in Brazil where cybercriminals leverage this technique to steal user login credentials and credit card numbers from banks.