The hacking group integrates DNS hijacking into their malicious website campaign

The hacking group integrates DNS hijacking into their malicious website campaign

DNS hijacking concept.
Enlarge / DNS hijacking concept.

Researchers have discovered a malicious Android app that can manipulate the WiFi router that the infected phone is connected to and force the router to broadcast all network devices to malicious websites.

The malicious app found by Kaspersky uses a technique known as DNS (Domain Name System) hijacking. Once installed, the app will connect to the router and attempt to log in to its administrator account using standard or commonly used credentials such as admin:admin. If successful, the app changes the DNS server to a malicious one controlled by the attackers. From there, devices on the network can be redirected to fraudulent websites that impersonate legitimate websites but proliferate malware or log user credentials or other sensitive information.

Can spread widely

“We believe the discovery of this new DNS switcher implementation is very important from a security perspective,” Kaspersky researchers wrote. “The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings.”

Researchers continued, “In places like coffee shops, bars, libraries, hotels, malls, and airports, users connect infected Android devices to free/public WiFi. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware compromises the router and affects other devices as well. This enables it to spread widely in the target regions.”

DNS is the mechanism that matches a domain name like ArsTechnica.com to 18.188.231.255, the numeric IP address where the website is hosted. DNS lookups are performed by servers run by a user’s ISP, or by services from companies like Cloudflare or Google. By changing the DNS server address in a router’s administration panel from a legitimate to a malicious address, attackers can cause all devices connected to the router to receive malicious domain lookups, resulting in lookalike sites used for cybercrime.

The Android app is called Wroba.o and has been used in various countries for years, including the USA, France, Japan, Germany, Taiwan and Turkey. Curiously, the DNS hijacking technique the malware is capable of is used almost exclusively in South Korea. From 2019 through most of 2022, attackers lured targets to malicious websites sent via text messages, a technique known as smishing. Late last year, attackers incorporated DNS hijacking into their operations in this Asian nation.

Infection flow with DNS hijacking and smishing.
Enlarge / Infection flow with DNS hijacking and smishing.

Known in the security industry as the Roaming Mantis, the attackers designed DNS hijacking to only work when devices visit the mobile version of a fake website, most likely to ensure the campaign goes undetected.

Although the threat is serious, it has one major flaw – HTTPS. Transport Layer Security (TLS) certificates, which serve as the basis for HTTPS, bind a domain name such as ArsTechnica.com to a private encryption key known only to the site operator. People redirected to a malicious website posing as Ars Technica using a modern browser receive warnings that the connection is not secure or are prompted to approve a self-signed certificate, a practice users should never follow.

Another way to combat the threat is to ensure that the password protecting a router’s administrator account is changed from the default password to a strong one.

Still, not everyone is familiar with such best practices, which tricks them into visiting malicious website that looks almost identical to the legitimate one they were trying to access.

“Users with infected Android devices connecting to free or public Wi-Fi networks can spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable,” it says it in Thursday’s report. “Kaspersky experts are concerned about the potential for the DNS switcher to be used to target other regions and cause significant problems.

Leave a Reply

Your email address will not be published. Required fields are marked *