Novidade, a new Exploit Kit is targeting SOHO Routers

Security experts at Trend Micro have discovered a new exploit kit, dubbed Novidade (“novelty” in Portuguese), that is targeting SOHO routers to compromise the devices connected to the network equipment.

The Novidade exploit kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers and redirect traffic from the connected devices to the IP address under the control of the attackers.

Since its first discovery in August 2017, experts observed three variants of the exploit kit, including one involved in the DNSChanger system of a recent GhostDNS campaign.

Currently, Novidade is used in different campaigns, experts believe it has been sold to multiple threat actors or its source code leaked.

Most of the campaigns discovered by the researchers leverages phishing attacks to retrieve banking credentials in Brazil. Experts also observed campaigns with no specific target geolocation, a circumstance that suggests attackers are expanding their target areas or a larger number of threat actors are using the exploit kit. 

“We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers.” reads the analysis published by Trend Micro.

Experts noticed that the landing page performs HTTP requests generated by JavaScript Image function to a predefined list of local IP addresses that are used by routers. Once established a connection, the Novidade toolkit queries the IP address to download an exploit payload encoded in base64.

The exploit kit blindly attacks the detected IP address with all its exploits. 

The malicious code also attempts to log into the router with a set of default credentials and then executes a CSRF attack to change the DNS settings.

“Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.” continues the analysis.

All the variants of Novidade exploit kit observed by Trend Micro share the same attack chain, but the latest version improves the code on the landing page and adds a new method of retrieving the victim’s local IP address. 

Below the list of possible affected router models based on Trend Micro comparisons of the malicious code, network traffic, and published PoC code. 

• A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
• D-Link DSL-2740R
• D-Link DIR 905L
• Medialink MWN-WAPR300 (CVE-2015-5996)
• Motorola SBG6580
• Realtron
• Roteador GWR-120
• Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
• TP-Link TL-WR340G / TL-WR340GD
• TP-Link WR1043ND V1 (CVE-2013-2645)

Novidade was used mostly to target Brazilian users, the largest campaign has delivered the exploit kit 24 million times since March. 

In September and October, the Novidade was delivered through notifications on instant messengers regarding the 2018 Brazil presidential election, and leveraging compromised websites injected with an iframe to redirect users to Novidade. The latter attack hit websites worldwide.

Trend Micro recommends to keep devices’ firmware up to date, change the default usernames and passwords on their routers, and also change the router’s default IP address. If not needed, disabling remote access is also recommended, as well as using secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Novidade exploit kit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]