In the wake of the Coronavirus or COVID-19 pandemic, we’ve seen cybercriminals take full advantage and launch different attacks as we covered them recently on HackRead.com. Just yesterday it was reported that hackers are actively targeting the World Helth Organization (WHO).
Now, just yesterday, Bitdefender has published a new report which highlights how attackers are using DNS hijacking to target Linksys routers tricking users in downloading a piece of malware named “Oski infostealer”.
This payload is stored on a legitimate and famous version control system cum hosting service called Bitbucket which helps in convincing the user that they are not being misled. Furthermore, a URL shortener – TinyURL – is also used to help conceal the original download link on Bitbucket from the user.
To start with the details, the attackers try to brute force the passwords of the routers they detect online. Elaborating on this, Bitdefender states,
It seems that attackers are bruteforcing some Linksys router models, either by directly accessing the routers management console exposed online or by bruteforcing the Linksys cloud account.
Once this is done, they then change the domain name server settings in these routers for different domains to redirect them to their own malicious site. To understand how this happens, we need to understand how DNS works.
Whenever one types in a domain name in the URL bar, their browsers seeks an IP address from a DNS service that exactly corresponds to that domain. This helps it to locate the desired website with precision much like how we use names in a phonebook which are translated to cell numbers once we initiate a call. Misusing this, the attackers, in this case, change the underlying URL that a legitimate domain would correspond to.
So for example in this case, if the user types in any one of the following domain names:
They will not be taken to the real IP addresses corresponding to them but the fake IP addresses set by the attackers which are 18.104.22.168 and 22.214.171.124.
After being redirected, they are greeted with a notice claiming to be from the World Health Organization (WHO) asking users to download & install an application that will give them the “latest information and instructions” about the virus.
Further explaining this phenomenon, the researchers add how as shown in the image above,
“The download button has the href tag (hyperlink) set to https://google (dot) com/chrome so it seems clean when the victim hovers over the button. But actually an on-click event is set that changes the URL to the malicious one, hidden in the URL shortened with TinyURL.”
Once the user clicks on the download button then, they end up downloading the trojan with the filename of the installer innocuously named along the lines of runset.EXE, covid19informer.exe, or setup_who.exe.
Upon installation, Oski tries to steal a range of data from the computer including but not limited to browsing cookies, history, autofill information & payment details, authentication credentials and cryptocurrency wallet private keys. The collected data is then sent to the attackers via a C2 server.
Currently, estimated download numbers observed from the 2 Bitbucket repositories that remain online are 1193. If we were to factor in additional buckets either on Bitbucket or other websites, the number would likely be much higher.
Concerning the proportionality in relation to which countries were targeted the most, the United States is in the lead followed by Germany and France respectively.
To guard against such attacks, it is important that users change any default credentials of their router devices. Further, it is advised that for the best security, remote administration tools should be avoided. Nonetheless, if one does use them, they should be using encryption followed with strong passwords.