Novidade EK (Exploit Kit) Targets routers

Security researchers at Trend Micro have found another EK, named Novidade ("oddity" in Portuguese), that is focusing on SOHO switches to trade off the gadgets associated with the system gear. The Novidade misuse unit uses cross-site ask for falsification (CSRF) to change the Domain Name System (DNS) settings of SOHO switches and divert traffic from the associated gadgets to the IP address under the control of the assailants. Since its first disclosure in August 2017, specialists watched three variations of the adventure pack, incorporating one engaged with the DNSChanger arrangement of an ongoing GhostDNS crusade. Right now, Novidade is utilized in various crusades, specialists trust it has been sold to different risk on-screen characters or its source code spilled.

A large portion of the battles found by the specialists influences phishing assaults to recover managing account qualifications in Brazil. Specialists likewise watched crusades with no explicit target geolocation, a situation that proposes assailants are growing their objective regions or a bigger number of danger performing artists are utilizing the endeavor unit.

Specialists say that the point of arrival performs HTTP asks for produced by JavaScript Image capacity to a predefined rundown of neighborhood IP tends to that are utilized by switches. When setting up an association, the Novidade toolbox questions the IP deliver to download an endeavor payload encoded in base64. The adventure pack aimlessly assaults the recognized IP address with every one of its endeavors. The noxious code likewise endeavors to sign into the switch with a lot of default qualifications and afterward executes a CSRF assault to change the DNS settings. Underneath the rundown of conceivable influenced switch models dependent on Trend Micro correlations of the malignant code, arrange traffic, and distributed POC code.

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)


For more analysis, please refer to the TrendMicro page: https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/

IOC table from Trend Micro:


Threat identification
Specifies
globo[.]jelastic[.]servint[.]net
Novidade exploit kit domain
landpagebrazil[.]whelastic[.[net
Novidade exploit kit domain
light[.]jelastic[.]servint[.]net
Novidade exploit kit domain
52[.]47[.]94[.]175
Novidade exploit kit IP address
pesquisaeleitoral2018[.]online
Social Engineering Domain
pesquisaparapresidente[.]online
Social Engineering Domain
108[.]174[.]198[.]177
Suspicious DNS server
144[.]217[.]24[.]233
Suspicious DNS server
172[.]245[.]14[.]114
Malicious DNS server
192[.]3[.]178[.]178
Malicious DNS server
192[.]3[.]190[.]114
Malicious DNS server
192[.]3[.]8[.]186
Malicious DNS server
198[.]23[.]140[.]10
Malicious DNS server
198[.]46[.]131[.]130
Malicious DNS server
23[.]94[.]149[.]242
Malicious DNS server
23[.]94[.]190[.]242
Malicious DNS server
23[.]95[.]82[.]42
Malicious DNS server


Post by

Comments

Popular Posts