Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS
settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.
Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.
By clicking on the link the victim downloads and installs a Trojan which is related to Ngrbot and modifies the local HOST file. It steals money from two Mexican banks by redirecting the infected
victims to fake banking websites.
There is interesting information contained inside the code – the source of the Trojan before the compilation.
After browsing some underground Spanish-language forums, I found that the author of this malware has been operating since at least 2004 and apparently lives in Peru.
Most of the victims are, of course, from Mexico. The main means of spreading the malware is email and the most widely-targeted email provider is Yahoo mail.
There are at least 11,540 downloads of this malware and the overall it has been detected by 9 out of 31 antivirus engines. That basically means there are some 8,000 infections out there.
The fact that a fairly experienced cybercriminal (operating from 2004) still uses malicious techniques to abuse local DNS settings and can still net a large number of victims (8,000) once again confirms that the DNSChanger trend won’t change in the near feature. We will keep seeing new pieces of malware using and refining the
same technique. This story is set to continue…