Hacker Group Incorporates DNS Hijacking Into Their Malicious Website Campaign

Hacker Group Incorporates DNS Hijacking Into Their Malicious Website Campaign

DNS hijacking concept.
Enlarge / DNS hijacking concept.

Researchers have discovered a malicious Android app that can alter the wireless router the infected phone is connected to and force the router to send all network devices to malicious sites.

The malicious application, found by Kaspersky, uses a technique known as DNS (Domain Name System) hijacking. Once the app is installed, it connects to the router and tries to log in to your administrative account using the default or commonly used credentials, such as admin:admin. When successful, the application changes the DNS server to a malicious one controlled by the attackers. From then on, devices on the network can be directed to imposter sites that mimic legitimate ones but spread malware or record user credentials or other sensitive information.

Able to spread widely

“We believe that the discovery of this new DNS changer implementation is very important in terms of security,” the Kaspersky researchers wrote. “The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with unauthorized DNS settings.”

The researchers continued: “Users connect infected Android devices to public/free Wi-Fi in places like cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a target Wi-Fi model with vulnerable settings, Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.”

DNS is the mechanism that matches a domain name like ArsTechnica.com with 18.188.231.255, the numeric IP address where the site is hosted. DNS lookups are performed by servers operated by a user’s ISP or by services from companies like Cloudflare or Google. By changing the DNS server address in a router’s administrative panel from a legitimate one to a malicious one, attackers can cause all devices connected to the router to receive lookups for malicious domains that lead to similar sites that are used for cybercrime.

The Android app is known as Wroba.o and has been used for years in various countries including the US, France, Japan, Germany, Taiwan and Turkey. Interestingly, the DNS hijacking technique that the malware is capable of is used almost exclusively in South Korea. From 2019 through most of 2022, attackers lured targets to malicious sites that were sent via text messages, a technique known as smishing. Late last year, the attackers incorporated DNS hijacking into their activities in that Asian nation.

Infection flow with DNS hijacking and smishing.
Enlarge / Infection flow with DNS hijacking and smishing.

The attackers, known in the security industry as Roaming Mantis, designed DNS hijacking to work only when devices visit the mobile version of a spoofed website, most likely to ensure the campaign goes undetected.

While the threat is serious, it has one major shortcoming: HTTPS. The Transport Layer Security (TLS) certificates that serve as the foundation for HTTPS bind a domain name like ArsTechnica.com to a private encryption key known only to the site operator. People directed to a malicious site impersonating Ars Technica using a modern browser will either receive warnings that the connection is not secure or be asked to approve a self-signed certificate, a practice users should never follow.

Another way to combat the threat is to ensure that the password protecting a router’s administrative account is changed from the default to a strong one.

Still, not everyone is well versed in these best practices, leaving them open to visiting a malicious site that looks almost identical to the legitimate one they intended to access.

“Users with infected Android devices that connect to free or public Wi-Fi networks can spread malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable,” Thursday’s report said. “Kaspersky experts are concerned that the DNS changer could be used to target other regions and cause major problems.

Leave a Reply

Your email address will not be published. Required fields are marked *