The hackers altered DNS settings to use IP addresses '5.45.75[.]11' and '5.45.75[.]36' on the compromised devices in an effort to redirect the victim to attacker's website.
Most of the compromised devices are from Vietnam. India is also to be one of the top countries affected by this campaign. Other affected countries are including Italy, Thailand, Indonesia, Ukraine, Turkey, Colombia.
The affected routers are from number of manufacturers including Micronet, Tenda, D-Link, TP-Link. Researchers say that affected devices are vulnerable to multiple exploits including CSRF attack, vulnerability in ZyXEL firmware.
The vulnerability in ZyXEL's ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration file http://[IP Address]/rom-0.
So far, the attackers didn't seem to have abused the compromised devices. But, the attack is similar to the attack against a number of Poland's banks. In which, the attacker changed the DNS configuration in order to steal Online Banking login credentials.
