Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Malware Changes Router DNS Settings via Mobile Devices

Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.

Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.

The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.

According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.

An analysis of JS_JITON’s code revealed that the malware includes 1,400 combinations of common credentials that can be used to access a router’s administration interface, which can allow attackers to access the device and change its DNS settings. Experts also discovered the use of an old exploit, CVE-2014-2321, which allows remote attackers to obtain admin access to some ZTE modems.

While the malware includes code for targeting the products of several top router manufacturers, including D-Link and TP-Link, Trend Micro says most of the code has been commented out. For the time being, only the ZTE modem exploit appears to be active and it only works if the malware is executed from a mobile device.

Researchers noted that the compromised websites also serve JS_JITON when accessed from a desktop computer, but the infection chain is different.

Advertisement. Scroll to continue reading.

Trend Micro noticed that the malicious scripts have been regularly updated by the malware authors — at one point they also included keylogger functionality to steal data entered on specified websites — which could indicate that the threat is still being tested.

“Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” Trend Micro’s Chisato Rokumiya explained in a blog post.

Related: Quanta Routers Plagued by Many Unpatched Flaws

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.