Back then, the researchers came across a widespread malicious campaign that had hijacked more than 100,000 home routers to modify their DNS settings and flood users with malicious web pages. The idea of the malware campaign was to lure users into visiting specific banking sites to harvest login credentials.
More about GhostDNS and How Its Source Code Got Leaked
GhostDNS is a router exploit kit deploying cross-site request forgery requests (CSRF). This is done to change DNS settings and redirect users to phishing pages to harvest their login details. Apparently, malware analysists just received unrestricted access to the source code of this dangerous malware.
This occurred due to an honest mistake – the complete source code and many phishing pages were all compressed in a RAR file, called KL DNS.rar… And uploaded to a file-sharing platform. The uploader, however, didn’t password-protect the archive. Furthermore, the uploader had the Avast antivirus installed on his system, with the Web Shield enabled. This feature protects against malicious online content, which triggered router exploit kit detections.
A year ago (May 2019), our Avast Web Shield, a feature in our antivirus program protecting people from malicious web content, blocked a URL from the file-sharing platform sendspace.com. It turned out that one of our Avast users was up to no good, uploading a RAR archive with malicious content to the server. The user forgot to disable the Avast Web Shield while doing this, and since the archive was not password protected, it was automatically analyzed by the Shield and it triggered our router exploit kit (EK) detections, Avast researchers shared in their blog post, detailing this curious event..
The researchers then downloaded the file and discovered the complete source code of the GhostDNS exploit kit.
The KL DNS.rar file the researchers downloaded has everything needed to run a successful DNS hijack campaign. These campaigns are performed with the purpose of stealing credit card details, credentials to different web sites, or any other information users tend to type.
Apparently, the GhostDNS source code is available for sale on the darknet. In 2018, the malware was sold online for approximately $450. GhostDNS source code is not the only thing that can be purchased. Credit card details stolen with its help can also be bought for about $10-25, depending on the number of card details. According to Avast researchers, this data was still available for purchase in April 2020.
In October 2019, another curious incident involving stolen credit card data happened. One of the largest underground stores for purchasing stolen credit card data was hacked itself. As a result, more than 26 million credit and debit card details were extracted from the store.