Looking at the global cyber landscape, we can see many campaigns and persistent threats occurring at different locations around the world. One example that has not drawn much attention is Brazil’s nationwide fraud campaigns. These come in different forms, beginning with simple phishing scams whose aim is to intercept and harvest credentials from unsuspecting users. As Brazil is the fifth largest country in the world, it may come as no surprise that these attacks are widespread and occurred very often in the past several years.

We had the opportunity to observe a live demonstration of one such campaign, currently taking place, which has implications of large scale activity. On October 21st, fifteen percent of Check Point’s sensors in Brazil were recorded communicating with the domain ‘noone.noone2.com’. This domain was identified by Check Point’s Threat Cloud as malicious, which made us decide to investigate the incident.

A technical view of the attack

At first glance, the domain’s URI appears to be broken. However, the error message presented in the page specifies a 404 response code (‘Page Not Found’), while the real retrieved code is 403 (‘Forbidden’). This implies that there’s more in the server than it is willing to show at this point.

It turns out that the server responds with an error message anytime it is visited by a host located outside Brazil. When we logged in from a Brazilian IP address, we witnessed a whole different course of actions.

First of all, instead of getting a page with an error message, we were now redirected to a page called next.php under the aforementioned domain ‘noone.noone2.com’. This was followed by a multi-step process aimed at infiltrating the user’s home router and changing the current DNS server addresses to malicious ones. All of this for the purpose of hijacking requests and replacing them with malicious responses i.e. phishing, with the end result being fraud and theft of credentials.

The first phase in this process begins at a page called 1-ex.php, which carries out a CSRF (Cross Site Request Forgery) attack by means of multiple invisible iframes embedded within the HTML source retrieved by the user. All of these share a common structure, as shown in the following figure:

pic 1

We can see an obvious attempt to log in with default credentials (e.g. admin:admin) to a predefined set of possible default gateway IP addresses. This is directed towards a page in the router’s web server which holds the current DNS configuration. The DNS server values will be changed to others, in this case 63.143.36.91 and 141.105.66.183.
We should also note that the attack is targeted to specific models of TP-LINK (as inferred from the above requests). As stated previously, these are vulnerable to CSRF.

The second phase is executed in a page named 2-ex.php, which carries on with a similar technique. The requested function is now the router’s reboot (to apply the new settings configured in the previous phase):

pic 2

The next actions in this phase (and in phase 3) consist of the same attempts to hijack the router’s DNS configuration, only now they are targeted to different router models and vendors. All of these share the vulnerability to CSRF in their web pages. In one distinctive example, we observed an attempt to introduce the discussed changes strictly by an HTTP request, avoiding any need of authentication (which appeared in previous attempts).

In the following figure, we can see values being written without any insertion of credentials:

pic 3

At the end, we land at a page named 4-ex.php which signifies the end of the process.

Suspected infection chain and similar domains

During our research, we looked for clues about the malicious domain. Simple Google queries didn’t bring up much information, as the site blocked indexing by any search engine in its robots.txt file.

However, when we tried to look for the domain in the context of other web sites, we came across an interesting fact – its URL was embedded in some other websites as a hidden iframe:

pic 4
As you can see, the 2 domains in the above example, as well as other compromised sites, are Brazilian. This strengthens the assumption that this campaign is targeted solely at residents of Brazil. Nonetheless, the identity of the attackers is still unknown.

We suspect the domain ‘noone.noone2.com’ is part of something bigger, and believe that there must be additional domains that use a similar attack method.

Therefore, we searched for domains in Check Point’s Threat Cloud that appeared in an abnormal number of gateways in Brazil, as this is what prompted us to start investigating the domain ‘noone.noone2.com’.

We found several more domains with similar features, all of which included the word “no one.” Another thing they had in common is that all were registered on the same 2 IP addresses that belong to a hosting service called Limestone Networks. This is also where the malicious DNS servers are hosted. We suspect that the attackers’ entire infrastructure initially resided in this company.

A quick investigation of the whois details of these domains revealed that all of them are protected by the proxy registration service, “whoisproxy.ru”, and the registrar is always “nic.ru”. Furthermore, all domains were first registered between August and October 2015, and are currently hosted by CloudFlare*.

Surprisingly, in the first registration of the domain ‘no-one.info’, we found clear registrant details:

Registrant Name: Joao Silva
Address: Rua das Alvoradas 334, Rio de Janeiro, Brazil
Postal Code: 0541254111
Phone Number: +55.2136547852
Email:  oscozinheiros2015@gmail.com
Registrant Billing ID: 5GHO8MR-RU

One day later, these details were protected by “whoisproxy.ru.”

We searched for more domains that include the word “no one”, and decided to investigate several of them. The following turned out to be related to this campaign as well:

  • thecooks.ru
  • thecooks.ru
  • oscozinheiros.com (as in the email address of the registrant)

A point of interest: “Oscozinheiros” means “cooks” in Portuguese.
Someone is indeed cooking a nice campaign…

When searching for additional sub domains of the detailed domains in our threat cloud, we found even more sub-domains that use the same attack method. However, these sub-domains do not include the word “no one”. A web search revealed several more sub-domains that execute this attack as well.

*These domains and whois details were passed to CloudFlare in order to them shut down.

 

Appendix – IOCs:

Domains:

  • noone.cozinhando.org
  • noone2.cozinhando.org
  • noone3.cozinhando.org
  • muleke.cozinhando.org
  • noone.noone2.com
  • noone2.noone2.com
  • noone3.noone2.com
  • noone.no-one.info
  • noone2.no-one.info
  • noone.oscozinheiros.com
  • chief.oscozinheiros.com
  • uva.oscozinheiros.com
  • meta.oscozinheiros.com
  • noone.thecooks.ru
  • noone2.thecooks.ru
  • uva.thecooks.ru
  • noone.xingling.info
  • noone2.xingling.info
  • noone3.xingling.info
  • meta.xingling.info
  • zeus.xingling.info

IPs:

  • 69.162.81.220
  • 206.188.193.208

You may also like