Login

DNS Hijacking: A New Method of MitM Attack Observed in the Wild.

Authors: Roee Avni and Oksana Davidov, Researchers @ Airo Labs

January 1st, 2020

Recently we spotted a new malware, in the form of a malicious profile file. The first of its kind on MacOS traffic: DNS hijacker.

This malware inserts a profile file that adds a new network interface as a fake VPN connection layer which later on, modifies the DNS IP address. These settings are being used to hijack Google search queries and redirect them into a monetized search page which hosts the Malware .

Back in May 2019, we analyzed and published a similar malware using a different MITM method, seen here: Unlike most malicious methods, this malware has neither an application nor a plist/agent, only a profile file that modifies the network settings, which makes it much harder to detect.

 

A short explanation about DNS hijacking:

DNS hijacking, DNS poisoning, and /or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by a type of malware that overrides a computer’s TCP/IP configuration to point at a rogue DNS server under the control of a cyber attacker.

Infection vector:

The following URL is offering to update your Flash Player: hxxps://cplander.s3.amazonaws.com/flash_update.html?cid=9059702679477571548      

Clicking “Download Flash…”/”Update” (both take the same action) downloads a file called “flashupdate.mobileconfig”.

“.mobileconfig” file is a configuration profile, an XML that specifies device settings and behavior. When users receive or download such a file, they can install it on their device with a double click:

In contrast to known infection vectors this case is special because it’s simply a configuration file that is loaded on the click from download bars on the browsers.

This type of file doesn’t need to be mounted or unpacked on the disk, such as DMG, PKG and other installation files.

Such a method may bypass many AV detections that are running in real time on newly mounted or extracted items from packages.

The user is then asked to fill in their credentials:

Here is some information regarding the profile being installed:

When the  installation is completed, a new “VPN Connection” layer is created in the Network Panel and a new DNS of an AWS server is configured: 18.224.232.26

The end results in no actual VPN client or Flash Player being installed , just the new DNS that hijacks Google search queries.

Below you can see how the DNS hijacker is using its abilities to steal search traffic and redirect it to its monetized search page:

 

Network redirection chain:

  1. From Google Search URL
  2. hxxp://searchroute-1560352588.us-west-2.elb.amazonaws.com/api/dani/search?p=iphone%208&subid=1
  3. hxxps://www.searchletter.com/Results.aspx?gd=SY1001227&searchsource=&q=iphone%208&n=9491
  4. hxxps://www.bing.com/search?q=iphone…

 

Conclusion:

Since Catalina launched we are seeing an increase in malicious MitM attempts. This new method is another simple but yet sophisticated way that malware can hijack the user’s traffic for various reasons like advertising, data collection, etc.

We believe that as the pressure from the OS/browsers side will continue to limit the ways an app can take control over the user’s traffic , we will keep on seeing an increase in MitM malwares and new methods for doing so.


As we previously mentioned before, this attack is interesting because it’s simply a configuration file that is loaded on a click from download bars on the browsers themselves and It doesn’t need to be mounted or unpacked on the disk, such as DMG, PKG and others installation files.

Such a method could bypass many AV detections running in real time on newly mounted or extracted items from packages.

 

To remove this DNS hijacker, the user should go to System Preferences → Profiles and remove this profile by clicking on “-” button:

 

POC:

Filename: “flashupdate.mobileconfig”

SHA256: 7318b716a5db5fa097944ba0ed7c1b7587bd50500b115166df50af67a57dcd76 (not in VirusTotal)

Size: 12KB

DNS IP: 18.224.232.26

 

About the authors:

Oksana Davidov is a Senior Malware Researcher with experience in Cyber Security field, working with some of the leading organizations in the market. She acquired a deep knowledge of malware techniques and cyber-attack campaigns from defensive and offensive viewpoints. Her experience includes reverse engineering, malware analysis, computer and network forensics, incident response and development. 

Roee Avni is a security researcher for over 4 years, with experience of malware analysis, reverse engineering, incident response and development. 

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo