A recently discovered campaign that targets home and small-office routers is redirecting users to fake COVID-19 informational sites that attempt to install password stealing malware.
According to Bitdefender report, it's possibly that the threat actors are guessing passwords used to secure routers’ remote management console when that feature is turned on, also guessing credentials for users’ Linksys cloud accounts:
- Mostly targets Linksys routers, bruteforcing remote management credential
- Hijacks routers and alters their DNS IP addresses
- Redirects a specific list of webpages/domains to a malicious Coronavirus-themed webpage
- Uses Bitbucket to store malware samples
- Uses TinyURL to hide Bitbucket link
- Drops Oski inforstealer malware
What you should do if affected by this attack
According to Bleepingcomputer :
If your browser is randomly opening to a page promoting a COVID-19 information app, then you need to login to your router and make sure you configure it to automatically receive its DNS servers from your ISP.
As every router has a different way of configuring DNS servers, it is not possible to give a specific method on how to do this.
In general, you will want to follow these steps:
- Login to your router
- Find the DNS settings and make sure there are no servers,
especially 220.127.116.11 and 18.104.22.168, manually configured. If
they are, set the DNS servers setting to 'Automatic' or ISP assigned.
- Then save your configuration.
You should now be able to reboot your mobile devices, game consoles, and computers so that they use the correct DNS settings from your ISP.
As people are reporting that they think their settings were changed because of a weak password and that remote administration was enabled, it is important to change your password to something stronger and to disable remote administration on the router.
Finally, if you downloaded and installed the COVID-19 app, you should immediately perform a scan on your computer for malware.
Once clean, you should change all of the passwords for sites whose credentials are saved in your browser and you should change the passwords for any site that you visited since being infected.
When resetting your passwords, be sure to use a unique password at every site.