Pierluigi Paganini March 26, 2020

The number of Coronavirus-themed attacks continues to increase, crooks hijack D-Link and Linksys routers to redirect users to sites spreading COVID19-themed malware.

Crooks continue to launch Coronavirus-themed attacks, experts observed hackers hijacking D-Link and Linksys routers to redirect users to COVID19-themed sites spreading malware.

Hackers compromiseD-Link and Linksys routers and change DNS settings to redirect users to bogus sites proposing a fake COVID-19 information app from the World Health Organization. In some cases, users were infected with the Oski information-stealing malware. The alarming trend was reported by BleepingComputer researchers and security firm Bitdefender.

“For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).” reported BleepingComputer.

“After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.”

Experts believe hackers are launching brute-force attacks against the routers, then they change the default DNS server settings to point the device to servers under their control.

Every time users attempt to visit a site that is included a list of domains targeted by the hackers, they are redirected to a site urging users to install a (COVID-19) information app.

Experts from BleepingComputer reported that attackers would change the configured DNS servers to 109[.]234.35.230 and 94[.]103.82.249. The presence of these two IP addresses in the DNS settings of your D-Link or Linksys routers indicates that your device has been hacked.

“As in the screenshot below, whenever victims wanted to visit one of the targeted domains listed above, attackers would simply display a message as if prompted by the legitimate domain.” reads the analysis published by BitDefender. “Since the domain name displayed in the browser’s address bar is unchanged, victims would have no reason to believe that the viewed message is being served from an attacker-controlled IP address.”

Both Bitdefender and Bleeping Computer confirmed that the app proposed to the netizens is a version of the Oski info-stealer trojan that is available for sale on Russian-speaking dark web forums.

The malware is able to steal account credentials from browsers and cryptowallet files to hijack cryptocurrency accounts.

Below the list, published by Bitdefender, of some domains targeted in this attack:

• aws.amazon.com
• goo.gl
• bit.ly
• washington.edu
• imageshack.us
• ufl.edu
• disney.com
• cox.net
• xhamster.com
• pubads.g.doubleclick.net
• tidd.ly
• redditblog.com
• fiddler2.com
• winimage.com

Victims of this attack should restore the DNS settings to legitimate IP addresses and of course secure their router by changing the admin panel password.

Bitdefender’s telemetry shows that the attacks started on March 18th, experts observed with a peak in activity on March 23rd.

Bitdefender telemetry shows that most of the victims are in Germany, France, and the United States (over 73 percent of the total), these countries are also among those most impacted by the pandemic.

“We estimate that the number of victims is likely to grow in the coming weeks, especially if attackers have set up other repositories, whether hosted on Bitbucket or other code repository hosting services, as the Coronavirus pandemic remains a “hot topic”. ” concludes Bitdefender.

Pierluigi Paganini

(SecurityAffairs – coronavirus, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]