Novidade

In December 2018, Trend Micro identified a new exploit kit (EK), Novidade, used across multiple campaigns. Novidade samples first appeared in August 2017, and its use is believed to have spread due to source code leaking online or through sale to multiple threat groups. Researchers determined the largest campaign using the EK was delivered over 24 million times since March 2018. Novidade targets small office and home (SOHO) routers, poisoning their Domain Name System (DNS) settings to resolve legitimate domain requests to phishing IPs hosted by the threat actor, known as a pharming attack. The malicious IPs will attempt to steal user banking credentials through spoofed websites.

Novidade’s methods of infection include malvertising, compromised web injection, and links in instant messages. Once a user accesses a compromised link, the page makes several HTTP requests to a predefined list of local IPs to pinpoint active routers. Once an active router is identified, the infected host sends the base64-encoded payload over, which attacks the router with all of Novidade’s exploits. Novidade then attempts to log in to the router through default credential brute-force attacks, and executes a cross-site request forgery (CSRF) to change the DNS server to the attacker’s malicious DNS server. At this point, all devices connected to the router are vulnerable to pharming attacks.

Three variants of Novidade were identified, all using the same infection methods. Version 1 is the most basic variant, as expected. Versions 2 and 3 include a JavaScript obfuscator on the landing page, making Novidade more difficult to detect. Version 3 uses a WebRTC STUN request to identify the host’s local IP address and contains a shortened URL statistic tracker to count infections.

A large wave of campaigns utilizing Novidade were carried out against Brazilian users during September and October 2018, delivering the EK via an instant message referencing the Brazilian presidential election that year. Clicking the link in the message brought users to a survey page regarding election candidates, and asked users to share the link with thirty others to view the survey results. While users filled out the survey, Novidade attempted to infect the router. If compromised, the router set its DNS server to 144[.]217[.]24[.]233

Another campaign occurred in late October 2018, but attacks were not confined to one location. This time, compromised sites were injected with a hidden iframe that redirected to a page delivering Novidade. Compromised routers had their DNS server set to 108[.]174[.]198[.]177, which resolved any requests for Google.com to a phishing site at 107[.]155[.]132[.]183. Once on the malicious site, users were prompted with a download request for “Google Protections” software. Researchers were unable to determine what malware the software contained, as the download link was no longer available at the time of inspection.

Possible affected routers (non-exhaustive):

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)

  • D-Link DSL-2740R

  • D-Link DIR 905L

  • Medialink MWN-WAPR300 (CVE-2015-5996)

  • Motorola SBG6580

  • Realtron

  • Roteador GWR-120

  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)

  • TP-Link TL-WR340G / TL-WR340GD

  • TP-Link WR1043ND V1 (CVE-2013-2645) 

Reporting

  • December 2018: Novidade used in September and October campaigns against Brazilians, other campaigns as well. (Softpedia)

Technical Details

  • Trend Micro provides additional technical details and indicators of compromise (IOCs) here.