Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps

A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware.

For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).

After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.

As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker’s control.

Hijack Windows NCSI active probes 

At this time, it is not known how the attackers are gaining access to the routers to change their DNS configuration, but some users state that they had remote access to the router enabled with a weak admin password.

Once the attackers gained access to the router, they would change the configured DNS servers to 109.234.35.230 and 94.103.82.249, which would also be configured on most computers that connect to the router.

Configured with malicious DNS servers
Configured with malicious DNS servers

When a computer connects to a network, Microsoft utilizes a feature called ‘Network Connectivity Status Indicator (NCSI)’ that is used to periodically run probes that check whether a computer is actively connected to the Internet.

In Windows 10, one of these active probes will be to connect to the http://www.msftconnecttest.com/connecttest.txt site and check if the returned content contains the string ‘Microsoft Connect Test’.

If it does, then the computer is connected to the Internet and if it isn’t, Windows warns that the Internet is not accessible.

For victims of this attack, when Windows performs this NCSI active probe, instead of being connected to the legitimate 13.107.4.52 Microsoft IP address, the malicious DNS servers send you to a web site located at 176.113.81.159. 

As this IP address is under the attacker’s control, instead of sending back a simple text file, they display a page prompting the victim to download and install a fake ‘Emergency – COVID-19 Informator’ or ‘COVID-19 Inform App’ from the WHO as shown below.

Msftconnecttest page promoting fake COVID-19 information app
Msftconnecttest page promoting fake COVID-19 information app

If a user downloads and installs the application, instead of receiving a COVID-19 information application they will have the Oski information-stealing Trojan installed on their computer.

When launched, this malware will attempt to steal the following information from the victim’s computer:

– browser cookies

– browser history

– browser payment information

– saved login credentials

– cryptocurrency wallets

– text files

– browser form autofill information

– Authy 2FA authenticator databases

– a screenshot of your desktop at the time of infection, and more.

This information will then be uploaded to a remote server so that it can be collected by the attackers and used to perform further attacks on your online accounts.

This could be to steal money from bank accounts, perform identity theft, or further spear phishing attacks.

Read More: https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/