A payload for altering the DNS settings of home routers is being delivered through a malicious advertisement inserted in a big online advertising network.
The definition for malvertising is an attack in which the cyber criminals take advantage of third-party services displayed to different websites. Normally, the attack includes a redirect to a compromised webpage or one controlled by hackers, serving a malicious payload.
In this particular campaign the crooks have inserted the payload directly in the ad that is being delivered to the webpages through a domain owned by Google, called googlesyndication.com.
The experts analyzing the malicious URL discovered that the cyber criminals have encoded the code to disguise the threat. In the process of decoding it, the experts had to go through 2 716 blank characters before stumbling upon a malicious one that tries to alter the DNS settings of the victim’s home router and force a reboot.
A DNS server is specially configured to translate the website’s IP address into a readable input. This way, the attackers can convert a different IP into the domain that is required by the victim and serve arbitrary content.
The DNS server that is used in the attack is reportedly located in the US. Experts believe that the server has not been used so far because it is not serving malicious IPs.