Brazil’s new router type attack is at the forefront

Router attack Brazil

Avast: In Brazil in the first quarter of 2019 over 180,000 routers changed their DNS settings.

Brazilian users have been attacked for almost a year with a new type of router, which has been seen worldwide.

The attacks are nearly invisible for end users and can lead to dire financial losses for hacked users. They can be catastrophic.

What is happening to routers in Brazil at the moment should be a warning to users and ISPs around the world who should take care to secure devices before they are also affected by the attacks in South America.


The router attacks started last summer in Brazil with the first cyber securities company to be observed by Radware and the following month by security researchers from Netlab, Chinese Cybersecurity Giant Qihoo 360, who were the threat of network hunting.

The two companies then discussed how more than 100,000 Brazilian home routers were infected by a cyber-criminal group and their DNS settings were altered.

Changes made to those routers turned infected users to websites of malicious clones when they tried to access some Brazilian banks ‘ e-banking sites.

A few months later, the threat of Bad Packets in April 2019, which detailed yet another wave of attacks aimed mainly on the D-Link routers which were also hosted on Brazil’s ISPs, was similar. The threat was not yet uncovered.

In order to collect your credential according to researchers at Ixia, the hackers were also this time, besides hijacking users visiting Brazilian banks, redirecting users to phish pages for Netflix, Google or PayPal.

But these attacks have not stopped, according to a report published this week by Avast. In reality, hackers infected and modified the DNS configurations of more than 180 000 Brazilian routers in the first half of 2019 according to the company.

In addition, the number of aggressive actors involved appears to have also increased and the complexity of the attacks has increased.

brazil router attacks

Attacks blocked by Avast on Brazilian routers

Image: Avast

The most Brazilian users, David Jursa and Alexej Savčin, say during their visit to the sports-movie-streaming websites or adult portals, have hacked their home routers.


Malicious commercials (malvertising) on these websites run special code within the user’s browsers to search and detect a home router IP address, a model of the router. When they detect the IP and the model of a router, the malicious ads then log in without your knowledge by using a list of default usernames and passwords.

The attacks take a while but most users will not notice anything because they usually watch the websites that they have just accessed on video streams.

If attacks are successful, the default DNS configuration on the victim’s router is altered and replaced by the upstream ISPs with the ID addresses of the hackers ‘ DNS Server, which are relayed malicious code through malicious ads.

When the smartphone or the computer of the user connects to the router, the malicious DNS server IP addresses are given and all DNS requests are funneled through servers, thus enabling them to hijack and redirect the traffic to bad clones.


Per Avast investigation hackers were using 2 special kits for these attacks.The first is called GhostDNS, which was first seen from last summer, and the botnet that Radware and Netlab described last year.

In February there was also a version of GhostDNS, called Navidade.

As Per Avast: “Novidade tried in February to infect routers of Avast users more than 2.6 million times and was spread over three field campaigns.” Avast calls this new SonarDNS botnet as the attacker has apparently restructured its infrastructure with an penetration test framework called Sonar.js.

Yeah, Sonar.js is ideal for attacking routers. Used by penetration testers in order to identify and run exploits on internal network hosts, this JavaScript library is ideal for determining a router type and running exploits on the target device with a couple of line code.

Avast says he saw SonarDNS in the last three months in three different campaigns and his way of working seems to imitate how GhostDNS works.


But attacks against routers in Brazil have not stopped and also changed In fact, the hackers ‘ groups behind these attacks have added further tricks to their arsenal as well as hijacking and redirecting users into phishing pages.

The first is to disrupt user traffic and substitute legitimate advertising with advertising operated or profit-making for attackers.

This is not a new tactic, by itself. In 2016, researchers from Proofpoint identified an exploit kit called DNSChanger EK which did the same thing–replacing legitimate ads with malicious ads–and most probably inspired what Brazil’s botnet operators are doing.

Secondly, GhostDNS, Navidade and SonarDNS operators have also used cryptojacking scripts from the browser. In Brazil last year, another group hijacked over 200.000 Mikrotik routers and added crypto-monetary browser miners to the web traffic of users, which also showed this last tactic.


But, despite everything else, the attacks that change DNS are the most dangerous of all for end-users. The reason is that the botnet operators collect information from users and deceive profiles online or steal money from bank accounts of users. This is because

With the attacks so sneaky, difficult to detect and so profitable, it is a mystery that they did not spread to other countries.

Routers are both affordable and easy to hack. However, most IoT botnets are today used as a proxy for DDoS assaults, brutal or credential stuffing attacks by most IoT devices. It would be much more profitable to use phishing routers.

A few options are available to users who want to stay safe from any IoT botnet that targets routers to modify their DNS settings:

  • Use complex router passwords.
  • Use Custom DNS on the devices to prevent your OS from requesting any defective DNS from the local router.
  • Use Custom DNS settings on your devices.
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.