Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.
The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.
According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.
An analysis of JS_JITON’s code revealed that the malware includes 1,400 combinations of common credentials that can be used to access a router’s administration interface, which can allow attackers to access the device and change its DNS settings. Experts also discovered the use of an old exploit, CVE-2014-2321, which allows remote attackers to obtain admin access to some ZTE modems.
While the malware includes code for targeting the products of several top router manufacturers, including D-Link and TP-Link, Trend Micro says most of the code has been commented out. For the time being, only the ZTE modem exploit appears to be active and it only works if the malware is executed from a mobile device.
Researchers noted that the compromised websites also serve JS_JITON when accessed from a desktop computer, but the infection chain is different.
Trend Micro noticed that the malicious scripts have been regularly updated by the malware authors — at one point they also included keylogger functionality to steal data entered on specified websites — which could indicate that the threat is still being tested.
“Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” Trend Micro’s Chisato Rokumiya explained in a blog post.
Related: Quanta Routers Plagued by Many Unpatched Flaws
Related: New Remaiten Malware Builds Botnet of Linux-Based Routers