According to Netlab experts, the hackers are scanning the Brazilian IP space for routers that use weak or no passwords, accessing the routers' settings, and replacing legitimate DNS settings with the IPs of DNS servers under their control.
This change redirects all DNS queries that pass through the compromised routers to the malicious DNS servers, which respond with incorrect info for a list of 52 sites.
Most of these sites are Brazilian banks and web hosting services, and the redirection leads back to a phishing page that steals victims' credentials for these sites.
Attackers do all this with the help of three modules, which Netlab has dubbed Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, all based on the programming languages in which they have been coded.
The first module, Shell DNSChanger, is written in Shell and is a combination of 25 Shell scripts that can brute-force the passwords of 21 routers or firmware packages.
"This sub-module is only being used lightly, with limited deployment by the attacker," Netlab researchers said over the weekend.
This one is only deployed on already-compromised routers to scan and brute-force other routers and devices on internal networks.
The third module, PyPhp DNSChanger, is written in a combination of Python and PHP, and is the most potent of all three. Netlab says this module has been deployed on over 100 Google Cloud servers, from where the attackers are constantly scanning the Internet to identify vulnerable routers.
This module uses 69 attack scripts that can brute-force the passwords of 47 different routers and firmware packages.
Furthermore, this module also uses an exploit that can bypass the authentication procedures for some routers and alter DNS settings. This particular exploit (known as the dnscfg.cgi vulnerability) has been seen exploited in Brazil in a similar fashion in February 2015, also used to change DNS settings and redirect Brazilian bank users to phishing sites.
Netlab researchers say that they've managed to access this third module's admin area, where they discovered that PyPhp DNSChanger alone had infected over 62,000 routers just by itself.
In addition, this third module also seems to use what appears to be stolen Shodan API key to identify vulnerable routers it can exploit using the Shodan IoT search engine.
All in all, the operators of this botnet, which Netlab have nicknamed GhostDNS, can target over 70 different types of routers, have already infected over 100,000 routers, and are currently host phishing pages for over 70 different services (the 52 URLs found by Netlab researchers, plus another 19 phishing sites hosted on the same phishing servers, but for which GhostDNS had not redirected traffic to yet).
Netlab says it notified affected entities such as Brazilian ISPs about the ongoing campaign. A list of URLs for which GhostDNS is redirecting traffic to phishing pages, along with the list of routers GhostDNS is known to be able to infect, are available in Netlab's report, here.
These are 2018's biggest hacks, leaks, and data breaches