Cyber criminals always attempt to use DNS servers to redirect users that trying to visit a legitimate domain are hijacked to a malicious server. These domain name servers deal with thousands of legitimate domains which entails that compromising them allows the attackers access to an impressive quantity of requests directed to them serving malware from any domain that uses the DNS service.
August 5th Dutch web hosting companies suffered cyber attacks, their name servers were changed by attackers that seem to have accessed an account at the Dutch national domain registrar, SIDN, altering the details of the company’s name servers to malevolent hosts controlled by the attackers.
Three hosting companies were affected by the DNS server compromise:
- Digitalus
- VDX
- Webstekker
Then, a large Dutch online electronics retail merchant, Conrad.nl was reportedly detected to be distributing malware, and was pulled down instantly after the discovery. In the following image the source code found on the page where visitors where redirected:
A blog post by Cisco described the additional content downloaded with the following statements:
“This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.”