Co-authored by Josh Hopkins and Nick Byers
This research was undertaken in collaboration with Manabu Niseki (@ninoseki on Twitter) and CERT.br (https://cert.br).
Manabu is a Tokyo-based researcher who has been tracking GhostDNS for a number of years. His leads and insight into GhostDNS assisted in confirming the findings documented in this blog post.
We will continue to collaborate with CERT.br on a shared goal of identifying the threat actors operating the infrastructure detailed in this blog.
Do you work for a national CERT? Are you interested in teaming up with Team Cymru on data research and threat assistance? Then join our CSIRT Assistance Program (CAP).
Before 2020 many companies may not have considered a mostly remote workforce when designing networks and network defenses. Similarly, most workers may not have considered the possibility of a “work from home” situation. The vulnerability of home network devices has probably never been more of a threat to information security.
Attackers continue to compromise vulnerable SOHO routers by taking advantage of default or weak user-defined passwords, as well as the use of publicly available exploits.
GhostDNS is a platform developed to help attackers find vulnerable routers and change the DNS settings of those that are exploitable. Most notably, attackers have used GhostDNS to target Brazilian financial institutions and their customers.
The attackers utilise two DNS servers – a primary ‘rogue’ server which redirects requests for specified websites of interest to phishing pages and a secondary server, generally Google’s public DNS server (22.214.171.124 or 126.96.36.199), which is used to handle all other requests.
This setup allows the attackers to remain undetected for long periods of time (we’ve observed this being several months in multiple cases) as, from a victim’s perspective, no discernible disruption to their normal browsing activity is encountered.
In this and future blog posts, we will examine what we have discovered and the methods used to hunt for the various elements of GhostDNS infrastructure within our Pure Signal™ threat hunting platform, Augury™.
The starting point for this research was based on analysis of the GhostDNS source code, specifically changer scripts which contain URL strings used by the malware to alter an exploited router’s DNS settings. We extracted unique portions of these strings for testing against the URL dataset queryable within our platform:
- DLINK routers = /dnscfg.cgi, /ddnsmngr.cmd, /Forms/dns_1
- 3COM routers = /Forms/dns
- Secutech routers = /goform/AdvSetDns
Note: Some of these strings have appeared in previous research on generalized DNS hijacking attacks, with references made to the targeting of Brazilian banks and their customers. Infrastructure identified using the above strings has shown correlation, via victim data, with other known GhostDNS infrastructure OR is associated with behaviour which matches the modus operandi of previous GhostDNS activity.
From the data obtained from Augury, the /dnscfg.cgi string was most commonly observed. An example of which is displayed below:
In this example, we identify 149.56.152[.]185 as the rogue DNS server, with one of Google’s public DNS servers being used for the secondary server (as previously discussed). The potential victims in this example have been obscured.
Focusing on the source of these connections, we were able to identify 21 distinct IP addresses being used by attackers in attempts to update the DNS settings of vulnerable routers, covering a period of 1st May 2020 to the time of publishing. We have categorized these as Changer IP addresses which are disclosed at the end of this blog.
From pivots on the URL strings and activity associated with the Changer IP addresses, 7 rogue DNS servers were identified:
A methodology was then established to identify further rogue DNS servers, based on potential victim interactions with the 7 servers already identified.
NetFlow queries were performed in Augury, filtered to examine inbound port 53 (commonly used for DNS) connections to the rogue DNS servers, thus identifying potential GhostDNS victims. Further queries were then performed on outbound connections to remote port 53, sourced from the potential victims identified in the first step.
Through repetition of this methodology, a further 13 rogue DNS servers were illuminated – all 20 identified rogue DNS servers are disclosed at the end of this blog and are also summarised in the timeline below:
Whilst a number of providers were utilized by the attackers for the hosting of the DNS servers, two providers in particular stood out in terms of the number of servers identified on each:
- 9 rogue DNS servers were identified being hosted on a /24 assigned to Nodes Direct Holdings, US.
- 5 rogue DNS servers were identified being hosted on a /24 assigned to Data City, CA.
Note: At this stage we have not ascertained whether the attackers are utilizing compromised or paid-for infrastructure for the hosting of rogue DNS servers.
Passive DNS (PDNS) and DNS Query datasets from the Augury solution were utilized in order to provide further context around the nature of the requests being targeted by the attackers – for which their rogue DNS servers provide redirects to phishing pages.
Using 149.56.152[.]185 as an example again, the following websites were passively identified within Team Cymru’s data holdings as being targeted by attackers:
This shows that as well as banking data, the attackers are also interested in obtaining possible email credentials, as well as account information for services like Netflix, PayPal and Shoptime – a Brazilian ecommerce website.
Pivoting on websites known to be targeted by the attackers, we are also able to close the loop on tying identified infrastructure into the wider GhostDNS threat activity:
In this example, in addition to our example rogue DNS server – 149.56.152[.]185, we see PDNS data relating to some of the rogue DNS servers hosted in the netblock assigned to Data City, CA.
During the discovery exercise undertaken to illuminate rogue DNS servers, a total of more than 1,500 potential victim IP addresses* were identified.
The large majority of these IP addresses were assigned to providers in Brazil, however a small proportion of Argentinian assigned IP addresses were also observed.
It is plausible that the attackers maintain an interest in customers of Brazilian banks who reside within the wider South American region, this finding would appear to contradict previous reporting on GhostDNS, which has suggested that attacker activity is limited to Brazilian users only.
Indicators of Compromise
Changer IP addresses 
Rogue DNS servers 
Previous Community Reporting
* Team Cymru has provided any victim data to CERT.br.