#Privacy: Threat actors targets home routers

Researchers have uncovered a new cyber attack whereby at least 1,193 victims have been targeted in a matter of days.

Discovered by Bitdefender researchers, threat actors are now targeting home routers and changing their Domain Name System (DNS) settings to redirect victims to a malware-serving website.

In a blog post, Bitdefender explained that amidst the global pandemic, threat actors have become creative in compromising victims.

“Attackers seem to have been probing the internet for vulnerable routers, managing to compromise them – potentially via bruteforcing passwords – and changing their DNS IP settings.”

Once threat actors alter the DNS IP addresses, they are able to redirect users to webpages that they can control, “without anyone being the wiser.”

Some of the targeted domains that are redirected include; “aws.amazon.com”, “washington.edu”, “redditblog.com”, “disney.com” and more.

The webpage victims are redirected to displays a message purportedly from the World Health Organisation (WHO), informing users to install an application that offers instructions and information about COVID-19.

“What’s interesting is that, by changing the DNS settings on the router, users would actually believe they’ve landed on a legitimate webpage, except that it’s served from a different IP address. For example, when users type “example.com”, instead of the webpage being served from a legitimate IP address, it would be served from an attacker-controlled IP that’s resolved by the malicious DNS settings,” Bitdefender explained.

“The download button has the “href” tag (hyperlink) set to https://google.com/chrome so it seems clean when the victim hovers over the button. But actually, an “on-click” event is set that changes the URL to the malicious one, hidden in the URL shortened with TinyURL.

Upon clicking the ‘Download” button, victims download a malicious .exe file from the Bitbucket repository. To cover their tracks, threat actors named the file “runset.EXE”, “covid19informer.exe”, or “setup_who.exe.”

The malicious file packed with MPRESS is download, to which this payload is the Oski stealer which communicates with a C&C server to upload stolen information.

“Oski is a relatively new infostealer that seems to have emerged in late 2019. Some of the features that it packs revolve around extracting browser credentials and cryptocurrency wallet passwords, and its creators even brag that it can extract credentials stored in SQL databases of various Web browsers and Windows Registry.”

At the time the post was published, the number of victims exceeded 1,193, and it is estimated that the number of victims is likely to increase in the coming weeks.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/