Hackers are dropping malicious COVIID-19 application by exploiting vulnerable routers.
Attackers are using DNS hijacking to target Linksys routers tricking users in downloading a piece of malware named “Oski infostealer”. This payload is stored on a legitimate and famous version control system cum hosting service called Bitbucket which helps in convincing the user that they are not being misled. Furthermore, a URL shortener – TinyURL – is also used to help conceal the original download link on Bitbucket from the user.
The attackers try to brute force the passwords of the routers they detect online and they then change the domain name server settings in these routers for different domains to redirect them to their own malicious site. After being redirected, they are greeted with a notice claiming to be from the World Health Organization (WHO) asking users to download & install an application that will give them the “latest information and instructions” about the virus.
Once the user clicks on the download button then, they end up downloading the trojan with the filename of the installer innocuously named along the lines of “runset.EXE”, “covid19informer.exe”, or “setup_who.exe”. Upon installation, Oski tries to steal a range of data from the computer including but not limited to browsing cookies, history, autofill information & payment details, authentication credentials and cryptocurrency wallet private keys. The collected data is then sent to the attackers via a C2 server.
NPAV recommends to never trust such sites and application as they are simply exploiting the pandemic and using it for hacker’s benefit. Gather and spread information only from trusted sources and stay away from fake news and information.
Use NPAV and join us on a mission to secure the cyber world.