Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.
The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.
According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.
An analysis of JS_JITON’s code revealed that the malware includes 1,400 combinations of common credentials that can be used to access a router’s administration interface, which can allow attackers to access the device and change its DNS settings. Experts also discovered the use of an old exploit, CVE-2014-2321, which allows remote attackers to obtain admin access to some ZTE modems.
While the malware includes code for targeting the products of several top router manufacturers, including D-Link and TP-Link, Trend Micro says most of the code has been commented out. For the time being, only the ZTE modem exploit appears to be active and it only works if the malware is executed from a mobile device.
Researchers noted that the compromised websites also serve JS_JITON when accessed from a desktop computer, but the infection chain is different.
Trend Micro noticed that the malicious scripts have been regularly updated by the malware authors — at one point they also included keylogger functionality to steal data entered on specified websites — which could indicate that the threat is still being tested.
“Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” Trend Micro’s Chisato Rokumiya explained in a blog post.
Related: Quanta Routers Plagued by Many Unpatched Flaws
Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
- US Charges Two Men Over Use of Hacked Law Enforcement Database for Doxing
Latest News
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
