Greetings!Recently, I have stumbled upon this concept, I have not seen any other threads warning people on this forum of this specific branch of malware and I feel that this is most certainly something everybody should be very aware of. To my knowledge there is no widespread infection from these viruses as there was for the clipboard jacker malware last year, but this is still something should know exists & how to prepare for. As with all my posts, if you have any other information regarding this, please leave a comment with it and I will append it to the original post.
What is Hostjacking?Hostjacking is when a malicious program overwrites a critical system file known as the "Hosts" that is present on all operating systems to redirect traffic from one website to the malicious attacker's clone of that website to intercept logins and steal sensitive data. To understand how this is performed, we must first understand what the hosts file is, what it's primary functions are, and how hackers manipulate the data present in this file.
What is a host file?A host file is a file that is present on Mac, Windows and Linux operating system file that maps hostnames to IP addresses, the standard function of these that we would see applied in less malicious circumstances are web administrators (such as at a school or university) using the hosts file to restrict access to certain websites, by making said websites redirect to 127.0.0.1 (Localhost IP address), meaning that it would be inaccessible.
An example of such mapping is as follows:
To put it in layman's terms, this line of code in hosts redirects all traffic when you access instagram.com to localhost, meaning you will be unable to access the original IP address for Instagram.
How do hackers access it?The hosts file is a file of the operating system, meaning more often than not it requires that whichever program attempts to make changes to it have administrative rights, I will not detail the methodologies that people use to acquire administrative access from a user, all that is required to be known is that it is a plaintext file that hackers gain administrator privileges to overwrite with their own malicious code.
The Attack VectorAs for how this can be exploited, do remember that the IP address doesn't have to be localhost, the attack vector in this is that a malicious attacker can map a different site (lets say, binance.com) and redirect it to their own server's IP, which would contain a phishing page that imitates Binance. And rather than requiring kernel level access to evade antivirus, the malicious program used to deliver the payload would need essentially 0 complexity. The only thing that a malicious actor would need to do once you've opened a piece of their malware is to write over plaintext file, and they would instantly be able to redirect all your traffic to one site to their own malicious site. This does not even require lots of obfuscation to subvert detection by any antivirus software, the "program" could literally be a batch file that writes over the hosts file, if the user enters their admin password or provides the application with administrative access, which most installer wizards request anyway, they have full access to the hosts file, meaning they have full control over your network and where your traffic is headed towards.
I have went ahead and demonstrated this in video form by redirecting the Binance.com website to a generic DataCamp server IP address, the video is not of the best quality and you will have to put up with my insufferable keyboard sounds (I forgot to mute my microphone) until the video is fully processed and my keyboard sounds are replaced with an even more insufferable Royalty free audio track.
> DEMONSTRATION HERE <As is visible in the video, the search bar still retained the "Binance.com" address while displaying the content of the page we set it to, since it is very difficult to tell at a glance, this becomes a very deadly attack to users who are unfamiliar with other detection methods, which I will be detailing in the next section of this post.
How to Detect Hostjack Phishing (And how to prevent it)Checking your hosts fileMac OSX - How to check hosts
There is a very simple way to check your hosts on MAC without actually requiring any administrative permissions
1. Launch terminal.app (You can find it by pressing CMD+SPACE and entering "Terminal"
2. Enter the following code: "cat /etc/hosts" (Remove the quotation marks)
3. Hit Enter
4. Look for any suspicious entries
Windows - How to check hosts
Blue snow has left a better method in the replies to this thread **
If you find any suspicious entries on your hosts file:
MacOSX - Removing host entries
1. Open finder
2. In the top of the screen, click Go > Go to folder
3. Enter "/etc" (Remove the quotation marks)
4. Open the hosts file in any text editor, remove the line then save
5. Enter your admin password when prompted to by the text editor
Windows - Removing host entries
1. Press your Windows Key
2. Type "Notepad"
3. When you see the Notepad icon, RClick > Open as Administrator
4. In Notepad, File > Open
5. Navigate to "type C:\Windows\System32\Drivers\etc\hosts" (Remove the quotation marks) in the File Explorer popup
6. Once the document is open, just delete the entries and CTRL+S
If you locate any suspicious entries on your host file, deleting them might not be enough, if you are absolutely certain that you didn't write the entries on to the host file, then it is very likely that your system has been compromised by a piece of malware, use a tool such as
MalwareBytes to scan your system for any malware. If all scans turn up empty on multiple antivirus softwares and the host file keeps being edited to display a spoofed/separate page, it is advisable to back up your important files on a USB and factory reset your machine.
Checking the SSL certificate of the website.If you believe that you are being hostjacked, it never hurts to check the SSL certificate of the website you believe may have been compromised. Most websites belonging to large companies such as Binance will have an SSL certificate which can be viewed by clicking the lock on the left side of the URL in your browser's navigation bar:
A Valid CertificateYou should not enter any sensitive data on any website if it does not have a valid SSL certificate, most phishing websites will display as "Not Secure" when you click the lock icon, and Hostjacked phishing sites are no exception.
