Through Coronavirus Apps To Spread Malware Hackers Hijack Routers

With the OSKI Info-Stealing Malware, more than 1000, The router DNS hijacking attacks have targeted victims.

With a purpose to redirect sufferers to attacker-controlled sites promoting fake Coronavirus information apps, cybercriminals are hijacking routers and converting domain name system (DNS) settings. The victims are infected with information-stealing OSKI malware by downloading these apps.

Hackers are getting more innovative in how they leverage the Coronavirus pandemic, as in keeping with this trendy attack. Just over the past couple of days at least 1,193 victims were centered through this cyberattack. It seems to be working and researchers agree with that. During the last week skyrocketed and on March 18, reports of the hacks have commenced that victims mostly being centered are from the U.S., Germany, and France.

On Wednesday, Liviu Arsene, with Bitdefender, stated in a post. “We estimate that the number of victims is likely to grow in the coming weeks, especially if attackers have set up other repositories, whether hosted on Bitbucket or other code repository hosting services, as the Coronavirus pandemic remains a ‘hot topic,’” “Attackers seem to have been probing the internet for vulnerable routers, managing to compromise them – potentially via brute-forcing passwords – and changing their DNS IP settings.”

Cybercriminals are focused on Linksys Routers stated by Bitdefender. In keeping with researchers, cybercriminals are targeting routers by way of brute-forcing remote management credentials. From bleeping computer a report shows that D-link routers are also being compromised.

The routers and their DNS IP addresses are being hijacked and modified by the attackers. Over DNS settings, attackers can change the DNS IP addresses, and redirect unknowing users to [.]attacker-controlled webpages, if a user inputs the website name, DNS services send them to a corresponding IP address serving that domain name.

A number of the central domain names, for which users are redirected, include:
“aws.amazon[.]com”, “goo[.]gl”, “bit[.]ly”, “washington[.]edu”, “imageshack[.]us”, “ufl[.]edu”, “disney[.]com”, “cox[.]net”, “xhamster[.]com”, “pubads.g.doubleclick[.]net”, “tidd[.]ly”, “redditblog[.]com”, “fiddler2[.]com” and “winimage[.]com.”

To reach this type of domain name to a specific listing of Coronavirus-Themed webpages, the attackers redirect victims are looking for. Pretending to be from the World Health Organisation (WHO), these sites display a message, which tells users to install an app offering further Coronavirus information (via a “download” button).

Stated by researchers:
“The download button has the ‘href’ tag (hyperlink) set to https://google[.]com/chrome so it seems clean when the victim hovers over the button. But an ‘on-click’ event is set that changes the URL to the malicious one, hidden in the URL shortened with TinyURL,”

A legitimate (and popular) web-based repository hosting service used by attackers, to store the malware samples. Also, to cover their tracks, attackers used Bitbucket. As soon as sufferers click on the TinyURL link, the OSKI downloader is dropped through a file named “runset.EXE”, “covid19informer.exe”, or “setup_who.exe” (these names are another try by hackers to provide an air of legitimacy).

Oski is a relatively new info stealer that seems to have emerged in late 2019,” said researchers. “Some of the features that it packs revolve around extracting browser credentials and cryptocurrency wallet passwords, and its creators even brag that it can extract credentials stored in SQL databases of various Web browsers and Windows Registry.”

On March 18, one user stated “So tonight I boot up my computer and just let it chill on my desktop whilst I’m playing my switch. After a few minutes, my computer automatically opens a browser window and goes to the Microsoft internet redirect like it would when you need to accept terms and conditions to use a network,” During the last week, on bleeping computer’s forums potential victims were complaining of the hacks.

Linksys and D-link router users change the router’s control panel to try to access credentials suggest by researchers. Additionally, they propose customers change their Linksys cloud account credentials or any remote control account for their routers, to avoid any takeovers through brute-forcing or credential-stuffing attacks.

Inclusive of malware attacks, booby-trapped URLs and credential-stuffing scams, attackers keep leveraging Coronavirus-Themed Cyberattacks as panic round the global pandemic continues. As a trap for spreading data exfiltration malware, APT groups have been eyeing the pandemic– especially with more businesses moving to a work from the home model in response to the virus.

Bitdefender researchers stated that:
“While it’s not uncommon for hackers to piggyback global news, such as the pandemic, to deliver phishing emails laced with tainted attachments, this recent development proves they are nothing if not creative in compromising victims,”

Back to top button
Close