Researchers have discovered a new method of attack that targets home routers and changes the DNS settings to redirect the victims to a malicious website that delivers the infostealer malware called “Osk” that appears to have appeared late in 2019.
Landing websites present information about the Coronavirus pandemic and compel victims to download an app promising to provide victims “the latest information and instructions about coronavirus (COVID-19)” through the app.
COVID-19 Nowadays theme is badly exploited to lure victims using phishing attacks and trick victims to steal confidential information.
Attackers can use Bitbucket, the famous web-based version control repository hosting service to store malicious payload, and TinyURL, the current URL shorten service to cover the connection that redirects users to get to the Bitbucket.
Bitdefender investigators confirmed the following main findings of this attack
1.Mostly targets Linksys routers, bruteforcing remote management credentials
2. Hijacks routers and alters their DNS IP addresses
3. Redirects a specific list of webpages/domains to a malicious Coronavirus-themed webpage
4. Uses Bitbucket to store malware samples
5. Uses TinyURL to hide Bitbucket link
6 . Drops Oski inforstealer malware
Attacker searching the internet to locate the vulnerable home router to execute a brute-forcing attack on the password and change the DNS IP settings.
DNS configuration plays a significant role in the determination of the right IP address for the respective domain names.
If the attackers modify the DNS IP addresses from the targeted routers, the user request will be resolved to any web page which the attacker controls.
In this campaign, the following domain list is targeted:
- aws.amazon.com”
- “goo.gl”
- “bit.ly”
- “washington.edu”
- “imageshack.us”
- “ufl.edu”
- “disney.com”
- “cox.net”
- “xhamster.com”
- “pubads.g.doubleclick.net”
- “tidd.ly”
- “redditblog.com”
- “fiddler2.com”
- “winimage.com”
Users will be routed to the IP addresses (176.113.81.159, 193.178.169.148, 95.216.164.181) if the traffic that passes through the compromised router and the user tries to access the domains mentioned above.
Changing the DNS settings never raises any red flag and users will believe they have landed on a legitimate website other than another IP address.
“The webpages display a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19.” Bitdefender said.
Attacker sets the initial hyperlink to https:/google.com/chrome, a clean and well-known domain but, in reality, an “on-click” event is set that changes the URL to the malicious one hidden with TinyURL.
When victims press the download button, the Bitbucket repository drops a malicious file, but the victims are unaware of it.
“In the final stage of the attack, a malicious file packed with MPRESS is downloaded. This payload is the Oski stealer that communicates with a C&C server for uploading the stolen information.”
Bitdefender telemetry found that most of the targeted vulnerable routers in Germany, France and the United States are attempted to hack.
