A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.

A post published by security firm Bitdefender said the compromises are hitting Linksys routers, although Bleeping Computer, which reported the attack two days ago, said the campaign also targets D-Link devices. It remains unclear how attackers are compromising the routers. The researchers, citing data collected from Bitdefender security products, suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. Bitdefender also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.

The router compromises allow attackers to designate the DNS servers connected devices use. DNS servers use the Internet domain name system to translate domain names into IP addresses so that computers can find the location of sites or servers users are trying to access. By sending devices to DNS servers that provide fraudulent lookups, attackers can redirect people to malicious sites that serve malware or attempt to phish passwords.

The malicious DNS servers send targets to the domain they requested. Behind the scenes, however, the sites are spoofed, meaning they’re served from malicious IP addresses, rather than the legitimate IP address used by the domain owner. Liviu Arsene, a Bitdefender researcher, says that spoofed sites close port 443, the Internet gate that transmits traffic protected by HTTPS authentication protections. The closure causes sites to connect over HTTP and in so doing, prevents the display of warnings from browsers or email clients that a TLS certificate is invalid or untrusted.

Domains swept into the campaign include:

aws.amazon.com
goo.gl
bit.ly
washington.edu
imageshack.us
ufl.edu
disney.com
cox.net
xhamster.com
pubads.g.doubleclick.net
tidd.ly
redditblog.com
fiddler2.com
winimage.com

The IP addresses serving the malicious DNS lookups are 109.234.35.230 and 94.103.82.249.

The malicious-sites users land on claim to offer an app that provides “the latest information and instructions about coronavirus (COVID-19).”

Users who click on the download button are ultimately redirected to one of several Bitbucket pages that offers a file that installs malware. Known as Oski, the relatively new piece of malware extracts browser credentials, cryptocurrency wallet addresses, and possibly other types of sensitive information.

To prevent attacks on routers, the devices should have remote administration turned off whenever possible. In the event this feature is absolutely necessary, it should be used only by experienced users and protected by a strong password. Cloud accounts—which also make it possible to remotely administer routers—should follow the same guidelines. Moreover, people should frequently ensure that router firmware is up-to-date. If Frankenstein Computers can be of assistance don’t hesitate to let us know!

Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support,
IT Service, MAC repair, PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.