A recently discovered campaign that targets home and small-office routers is redirecting users to fake COVID-19 informational sites that attempt to install password stealing malware.



A post published by security firm Bitdefender [1] said the attack is targetting Linksys routers, but other sources [2] said the campaign also targets D-Link devices.

According to Bitdefender report, it's possibly that the threat actors are guessing passwords used to secure routers’ remote management console when that feature is turned on, also guessing credentials for users’ Linksys cloud accounts:

Key findings:

- Mostly targets Linksys routers, bruteforcing remote management credential
- Hijacks routers and alters their DNS IP addresses
- Redirects a specific list of webpages/domains to a malicious Coronavirus-themed webpage
- Uses Bitbucket to store malware samples
- Uses TinyURL to hide Bitbucket link
- Drops Oski inforstealer malware

What you should do if affected by this attack

According to Bleepingcomputer [2]:

If your browser is randomly opening to a page promoting a COVID-19 information app, then you need to login to your router and make sure you configure it to automatically receive its DNS servers from your ISP.

As every router has a different way of configuring DNS servers, it is not possible to give a specific method on how to do this.

In general, you will want to follow these steps:

  1. Login to your router
  2. Find the DNS settings and make sure there are no servers,
    especially 109.234.35.230 and 94.103.82.249, manually configured. If
    they are, set the DNS servers setting to 'Automatic' or ISP assigned.
  3. Then save your configuration.

You should now be able to reboot your mobile devices, game consoles, and computers so that they use the correct DNS settings from your ISP.

As people are reporting that they think their settings were changed because of a weak password and that remote administration was enabled, it is important to change your password to something stronger and to disable remote administration on the router.

Finally, if you downloaded and installed the COVID-19 app, you should immediately perform a scan on your computer for malware.

Once clean, you should change all of the passwords for sites whose credentials are saved in your browser and you should change the passwords for any site that you visited since being infected.

When resetting your passwords, be sure to use a unique password at every site.

References

  1. New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer
  2. Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps