An undetected remote access trojan known as Ratsnif which has been used in cyber-espionage campaigns from the OceanLotus group; has acquired new capabilities that allow the trojan to modify web pages as well as commit SSL hijacking. OceanLotus is a group of cyber attackers that favours Vietnamese state for espionage operations.
Once installed on the machine, Ratsnif trojan creates a run once mutex called ‘oneinstance’. This initializes Winsock version 2.2 and allows the trojan for harvesting system information such as username, computer name, workstation configuration, windows system directory as well as network adapter information. The information is further sent to the attacker’s C2 server through an HTTP post.
After analysing four variants of the Ratsnif RAT family, it was realized that the trojan evolved from a debug build to a release version with several features including DNS spoofing.
What is DNS spoofing?
Domain Name Server (DNS) spoofing is also known as DNS cache poisoning, DNS tampering, DNS redirection as well as DNS hijacking. According to a report, DNS based attacks alone, cost more than $2 million dollars a year!
It is a type of attack in which altered DNS records are used for redirecting online traffic to a fake website that resembles the original destination. Once the user is redirected to the forged website, he is prompted to giving the perpetrator the opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious website is often used to install worms or viruses on a user’s computer, giving the perpetrator long-term access to it and the data it stores.
DNS spoofing can be carried out using various methods including DNS cache poisoning, compromising a DNS server or by implementing a Man in the Middle Attack. If a DNS record is spoofed, the attacker can redirect all the traffic that was initially relying on the correct DNS record to a fake website that resembles the real site or a different site completely.
Why do attackers spoof DNS?
To launch an attack: A hacker can divert a large amount of traffic to a server that is incapable of handling so much traffic by changing the IP address of a domain. This can cause the server to slow down, stop and encounter many errors. Such “denial-of-service” attack can even shut down a website.
Redirection: A corrupted DNS entry can redirect users to websites that they do not intend to visit. Hackers might leverage this to redirect victims to phishing sites. These sites look identical to the actual website but are operated by a hacker, thus, tricking the user into submitting their personal information. ISPs also use DNS redirection for collecting user browsing data.
Censorship: It is impossible to browse the web without DNS. Therefore, controlling the DNS server in return controls the web. For example, government-controlled ISPs in China, use DNS tampering as part of their censorship system to block websites from public view.
DNS hijacking can occur in two ways:
· By tampering with the resolver cache of an existing DNS nameserver.
· By creating a malicious DNS nameserver and spreading malware that make routers and end user devices use it.
How to prevent DNS spoofing?
1. Always check for HTTPS
A spoofed website will likely look identical to the actual website that the victim intended to visit. However, attackers usually don’t have a valid SSL certificate for the domain. Thus, the website will not have “https” or a closed padlock in the browser’s URL bar.
2. Using VPN
Virtual Private Network or VPN is a service which encrypts all the internet traffic that is going to and from your device and routes it by using an intermediary server in a location that is chosen by the user. Quality VPN services use their own private DNS servers and all DNS requests are sent via an encrypted tunnel. This means DNS requests can neither be intercepted nor altered.
3. By increasing the reputation of your email domain
With DMARC record generator and analyser tool KDMARC, organizations can access reports that will provide a detailed analysis of DNS spoofing of their email domain. This will help organizations in enabling filters that are appropriate for securing their email domain.
