A malware distribution campaign has been detected that uses malicious coronavirus apps to deliver the Oski information stealing Trojan. The campaign was detected by Bitdefender which reports that 1,193 individuals have been targeted in just a couple of days from March 18. Attempts have been made to shut down the malware repositories that are being used by the attackers, but it is probable that others will be set up to take their place.

Bitdefender reports that threat actors have been conducting scans to identify vulnerable Linksys routers and are using brute force tactics to weak passwords and remote management credentials. Some reports suggest that D-Link routers are also being attacked.

Once access is gained to the router, the DNS settings are changed. When a user attempts to visit a legitimate site, since the attackers can control the DNS they can respond with a different IP address that they control. Domains that have been targeted and spoofed include Amazon.com, imageshack.us, disney.com, tidd.ly, and redditblog.com, and xhamster.com.

When the user lands on one of these fake sites, they are presented with a warning that claims to be from the World Health Organization (WHO) that advises them to download a coronavirus app which will provide them with important, up to date information and instructions about the coronavirus and COVID-19. Clicking the download button, which has a shortened TinyURL URL, will direct them to BitBucket where the malicious app is downloaded.

When the downloaded installer is run – named either setup_who.exe, covid19informer.exe, or runset.exe – the Oski information stealer will be executed. This malware has been developed to steal credentials stored in browsers and passwords for cryptocurrency wallets.

Anyone with a D-Link or Linksys router should ensure that they have a strong password set on their router and should consider updating the password. Passwords for Linksys cloud accounts should also be changed, along with any passwords for remote router management accounts.