Show vulnerabilities with patch / with exploit
26 March 2020

Hackers alter routers’ DNS settings to push malware


Hackers alter routers’ DNS settings to push malware

Bitdefender researchers have spotted a series of new attacks aimed at altering home routers’ DNS settings to redirect victims to a malicious coronavirus-themed website that delivers the Oski data-stealing malware.

It appears the campaign mainly targets Linksys’ routers. While it remains unknown how exactly routers are being hacked, the researchers believe attackers are bruteforcing devices, either by directly accessing the router’s management console exposed online or by bruteforcing the Linksys cloud account.

The webpage to which users are redirected mentions the coronavirus pandemic, promising to offer for download an application that will give out “the latest information and instructions about coronavirus (COVID-19)”, but in fact the app contains Oski infostealer, a relatively new malware capable of stealing credentials stored in browsers and cryptocurrency wallet passwords.

Once the DNS settings are changed on the router, requests to open a web page are sent from two IPs: 109.234.35.230 and 94.103.82.249. All the hackers have to do is send a popup along when visiting a series of web pages.

“The download button has the “href” tag (hyperlink) set to https://google.com[/]chrome so it seems clean when the victim hovers over the button. But actually an “on-click” event is set that changes the URL to the malicious one, hidden in the URL shortened with TinyURL,” the researchers say.

The malware samples are stored on Bitbucket, the popular web-based version control repository hosting service. In order to trick users the hackers also use the popular URL-shortening web service TinyURL to hide the link to the Bitbucket payload. During the investigation, Bitdefender researchers discovered four Bitbucket repositories, two of them are still up. The number of downloads of the content on those accounts is still just over a thousand with majority (73% ) of victims located in Germany, France, and the United States.

Back to the list

Latest Posts

Vulnerability summary for the week: March 27, 2020

Vulnerability summary for the week: March 27, 2020

Weekly vulnerability digest.
27 March 2020
Unpatched iOS bug prevents VPN apps from encrypting all traffic

Unpatched iOS bug prevents VPN apps from encrypting all traffic

Affected versions of iOS fail to close existing internet connections when a user connects to a VPN.
27 March 2020
Rare BadUSB attack detected in the wild

Rare BadUSB attack detected in the wild

This case is a perfect example of how simple social engineering, a Best Buy gift card, and an BadUSB device could be used to compromise a company.
27 March 2020