Journalists Bleeping computer drew attention to the complaints of users who reported on forums that they are obsessively offered to download a strange application, supposedly informing about COVID-19 and created by WHO. As it turned out, the routers of these people were compromised, and under the guise of an application an infostiller was distributed.
The publication says that in all cases, the victims were the owners of D-Link or Linksys routers, and unknown attackers changed the DNS settings on the devices. It is not yet clear exactly how the attackers gained access to the devices, but several victims admitted that they could access their routers remotely, and they used weak passwords. So, probably it’s about brute force and enumeration of credentials according to the list of known default values.
Having gained access to the device, attackers change the DNS server addresses to 220.127.116.11 and 18.104.22.168.
Researchers explain that when a computer connects to a network, Microsoft uses the Network Connectivity Status Indicator (NCSI) feature, which periodically checks to see if your Internet connection is active. So, in Windows 10, one of these tests will be connecting to http://www.msftconnecttest.com/connecttest.txt and checking if the answer is “Microsoft Connect Test”. If it does, then the computer is connected to the Internet, and if not, Windows will warn that the Internet is not available.
If the user is working with a compromised router, then the malicious DNS servers force Windows, instead of connecting to the legitimate IP address of Microsoft 22.214.171.124, to connect to the intruders resource located at 126.96.36.199. As a result, instead of sending the aforementioned text file, the site displays a page asking the victim to download and install the fake application “Emergency – COVID-19 Informator” or “COVID-19 Inform App”, supposedly created by WHO.
If the user gets caught by attackers, downloads and installs this application, then instead of information about the coronavirus, he receives a trojan Oski. This malware will try to collect and transmit the following information to the attackers (the list is incomplete):
- browser history;
- Billing information from the browser
- saved credentials;
- cryptocurrency wallet data;
- text files;
- autocomplete data for forms in the browser;
- DB 2FA Authy identifiers;
- screenshots of the desktop at the time of infection.