Written by Shannon Vavra

Personal Wi-Fi routers have long been a cybersecurity weak point, which is a growing concern as the COVID-19 pandemic forces people to work from home.

According to new BitDefender research, criminals have moved quickly to manipulate these routers in a wide swath of countries in Europe, as well as in the United States.

Attackers have begun changing Domain Name System (DNS) settings in Linksys routers, pointing users to what they believe is a legitimate website that also includes a pop-up message with information about the pandemic. However, once a user clicks through, a fake coronavirus-related app may be downloaded containing malware that can perform a host of nefarious activities, according to Liviu Arsene, a global cybersecurity researcher at BitDefender.

”It is a big problem, especially now that everybody’s working from home,” Arsene told CyberScoop. “Having your router’s DNS compromised can spell disaster because if attackers can redirect you to any page they want without raising any suspicion in your browser, you could end up giving away credentials, you could end up giving away files, all sorts of sensitive information, or even allowing attackers to remotely dial into your company’s infrastructure. Compromising a router’s DNS is as bad as it gets.”

It’s unclear how the attackers, whose identity remains unknown, are changing router settings. Arsene writes in a blog post that the attackers are either accessing exposed router management consoles themselves or brute-forcing into the company’s service that allows people to manage router settings via the cloud.

“We think it’s brute-forcing, but it’s not necessarily brute-forcing the router itself,” Arsene told CyberScoop. “Either the router itself is directly exposed online for remote management, or [attackers] use brute-forcing on Linksys cloud accounts.”

Starting on March 18, attackers redirected users from a number of popular websites, including Amazon Web Services, Disney, and Reddit, according to BitDefender. The targeting spiked on March 23, reaching approximately 1,200 individuals in the U.S., Germany, France, The Netherlands, Romania, Bermuda, Poland, and Serbia, Arsene told CyberScoop.

The U.S. and Germany have been the most targeted.

Difficult to detect

DNS hijacking is a particularly difficult attack for the average user to spot, since it tricks the victim into thinking they’re on the webpage they intended to visit.

“By changing the DNS settings on the router, users would actually believe they’ve landed on a legitimate webpage, except that it’s served from a different IP address,” Arsene says.

Once victims land on the redirected webpages, they appear to have found authoritative COVID-19 information from the World Health Organization, along with a prompt to download the malicious app.

Hackers have been preying on the fear surrounding COVID-19 infections for months, imitating WHO and the CDC in emails that contain malware and spreading coronavirus-related apps that contain spyware.

Updating the infostealer

The downloaded malware — known as the Oski infostealer — is hosted on Bitbucket, a web-based version control repository, which may be helping the attackers “dodge security solutions that block suspicious URLs,” Arsene told CyberScoop. Additionally, attackers are using TinyURL, the url shortening service, to further hide their tracks.

Two of the four Bitbucket repositories BitDefender identified in this campaign have already been taken offline, Arsene said, which could mean there are more than 1,200 that BitDefender may not have visibility into.

The Oski malware first appeared on Russian underground forums last December, but it has already proven to be quite versatile. Since March 18, the malware’s capabilities have been updated at least three times, Arsene told CyberScoop. It can steal cryptocurrency wallet credentials, browser credentials, and cookies, and has keylogging capabilities as well.

It’s possible more capabilities are yet to come, Arsene said.

Although the Oski infostealer can communicate with the attacker’s command-and-control server to upload stolen information, Arsene says he does not have insight into whether any data exfiltration has taken place in this particular campaign.