Proofpoint recently discovered a variant of the DNSChanger exploit kit (EK), which is commonly used in malvertising campaigns. The latest version infects physical internet routers through web browsers. But instead of poking holes in a victim’s browser or computer, DNSChanger exploits vulnerabilities in the router itself.

A Router Attack, Rerouted

The method of the attack is fairly sophisticated in execution. It starts when a cybercriminal buys legitimate ad space on a website and posts a file that has been poisoned with JavaScript. At first, the JavaScript simply makes a Web Real-Time Communication (WebRTC) request directed at a Mozilla STUN server that will be able to deliver the victim’s local IP address.

The attacker then tries to determine whether the victim is using a home or small business network. These networks are commonly attached to many vulnerable routers. If the victim’s IP is already known or exists outside the targeted range, he or she will be sent down a decoy path to view a benign, third-party advertisement. This allows the malware to avoid detection.

Hidden Keys

Unlucky victims, however, will be directed to a tainted ad. This .png file has JavaScript-extractable HTML code hidden inside the comment field, which pushes the victim to the landing page of the true exploit. The exploit server then passes the browser a small image.

The EK uses that image to load an Advanced Encryption Standard (AES) key hidden inside the image via steganography. That AES key is used to hide the next commands sent from the command-and-control (C&C) server. The vulnerable router list is then transferred, along with any suggested exploits. The EK looks for them on the network, infecting as it goes.

Once infected, the router serves malicious ads at will. Regardless of the initial infection vector, the malware changes the router’s Domain Name System (DNS) entries and infects any device that connects to it.

Mitigating DNSChanger

According to Bleeping Computer, targeted routers include Linksys, Netgear, D-Link, Comtrend, Pirelli and Zyxel. Users should upgrade their router firmware to the latest version to begin protecting themselves.

It’s not enough to simply use stronger router passwords, since the attack comes through the browser and bypasses all router security. However, users can also be cautious about the ads they click and work to avoid malvertising.

More from

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link=""…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read