Bitdefender researchers have spotted a series of new attacks aimed at altering home routers’ DNS settings to redirect victims to a malicious coronavirus-themed website that delivers the Oski data-stealing malware.
It appears the campaign mainly targets Linksys’ routers. While it remains unknown how exactly routers are being hacked, the researchers believe attackers are bruteforcing devices, either by directly accessing the router’s management console exposed online or by bruteforcing the Linksys cloud account.
The webpage to which users are redirected mentions the coronavirus pandemic, promising to offer for download an application that will give out “the latest information and instructions about coronavirus (COVID-19)”, but in fact the app contains Oski infostealer, a relatively new malware capable of stealing credentials stored in browsers and cryptocurrency wallet passwords.
Once the DNS settings are changed on the router, requests to open a web page are sent from two IPs: 109.234.35.230 and 94.103.82.249. All the hackers have to do is send a popup along when visiting a series of web pages.
“The download button has the “href” tag (hyperlink) set to https://google.com[/]chrome so it seems clean when the victim hovers over the button. But actually an “on-click” event is set that changes the URL to the malicious one, hidden in the URL shortened with TinyURL,” the researchers say.
The malware samples are stored on Bitbucket, the popular web-based version control repository hosting service. In order to trick users the hackers also use the popular URL-shortening web service TinyURL to hide the link to the Bitbucket payload. During the investigation, Bitdefender researchers discovered four Bitbucket repositories, two of them are still up. The number of downloads of the content on those accounts is still just over a thousand with majority (73% ) of victims located in Germany, France, and the United States.