GhostDNS Got leaked by Mistake !

Router Exploit Kits are gaining popularity these days in the hacker world.

Talk about “ GhostDNS” which uses cross-site request forgery(CSRF) requests to alter the DNS settings and direct access through phishing pages to steal their login credentials.

The Source code has been leaked recently by mistake that happens with attackers.

How it Caught 

• The Source Code of GhostDNS exploit kit and other phishing pages were compressed in a RAR archive uploaded to a file-sharing platform by a hacker.
• When they are trying to download it, one of the members forms attacker groups forgets to disable the Avast web Shield feature of Avast Antivirus installed on their machine.
• This can allow the Avast web protection technology to detect and analyze the router exploit kit as the archive file was not password protected.

Now What next?

• The Avast Threat Intelligence Team downloaded the archive file named “KL DNS.rar” and delineated the functionality of GhostDNS.
• The Name indicates that this tool is used for DNS hijacking and Keylogging to gather critical information from the victim’s computer.
• The two methods used by hackers are Router EK and BRUT which was found in the archive file. Both methods involve the use of CSRF requests to alter DNS settings on a targeted device.

More Information!

• When the Router exploit kit(EK) preys on Devices in the local network to trick users into clicking on a malicious link, BRUT is used as a mass scanner that attacks routers exposed on the public internet.
• Some Extended version of the kit, a banner was displayed to inform the attackers that the CSRF request has been executed.
• When the login information is extracted, the GhostDNS stop and Phishing pages executed means it works step by step to perform the task.
• The most targeted countries are Brazil at the top priority, South America, US America, and Germany.

Important to mention 

All the above stuff which you read mention only these things that manipulate DNS settings and directs users to phishing sites. Cybercriminals leverage this technique to steal user login credentials and credit card numbers from banks.