Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.
The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.
According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.
An analysis of JS_JITON’s code revealed that the malware includes 1,400 combinations of common credentials that can be used to access a router’s administration interface, which can allow attackers to access the device and change its DNS settings. Experts also discovered the use of an old exploit, CVE-2014-2321, which allows remote attackers to obtain admin access to some ZTE modems.
While the malware includes code for targeting the products of several top router manufacturers, including D-Link and TP-Link, Trend Micro says most of the code has been commented out. For the time being, only the ZTE modem exploit appears to be active and it only works if the malware is executed from a mobile device.
Researchers noted that the compromised websites also serve JS_JITON when accessed from a desktop computer, but the infection chain is different.
Trend Micro noticed that the malicious scripts have been regularly updated by the malware authors — at one point they also included keylogger functionality to steal data entered on specified websites — which could indicate that the threat is still being tested.
“Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” Trend Micro’s Chisato Rokumiya explained in a blog post.
Related: Quanta Routers Plagued by Many Unpatched Flaws
Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
