New Exploit Kit "Novidade" Found Targeting Home and SOHO Routers
(Dec 11, 2018)
A new exploit kit, dubbed "Novidade," that targets home and small office routers has been discovered by researchers at Trend Micro. The exploit kit is delivered via malvertising, compromised websites, and instant messengers. If a target clicks upon a link that leads to Novidade, several HTTP requests will be generated to a predefined list of IP addresses that are used by routers. If a connection is established successfully, the exploit payload will download and attack the IP with various exploits. It then attempts to brute force the connected routers. If a router is successfully compromised, the original Domain Name System (DNS) is altered to the threat actor's DNS server. This redirects all devices connected to the infected router to the threat actor-controlled sites. The compromised router will redirect any traffic that attempts to access targeted bank domains to a fake banking website.
Recommendation: Always keep your browsers and operating systems up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host-based detection and prevention systems where possible. Your company should have policies in place to maintain the most current, and secure updates be applied to routers. Furthermore, it is crucial that routers have secure passwords to avoid automated attacks that search for default credentials.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.