Hackers are have been targeting popular brand routers for years, but new malware is now thrown in the mix. The malware is used to gain access to home networks and to hijack devices. Researchers from Bitdefender discovered that criminals were hacking into devices and changing the DNS settings to show browser alerts. The alerts were used to push people into downloading fake coronavirus information apps. Linksys and D-Link routers were the most affected, with hackers using brute force attacks to access the admin panel of the routers. Once there, the hackers change the DNS settings to redirect the traffic toward their servers.
Hijacking the router
Once a router is hijacked with a specific IP address, the device is then used to share the user's browsing habits and details with the hacker's servers. The attackers may also use a list of websites, ones where users are redirected to another site to download a fake COVID-19 app. The app in question is made to look as if the World Health Organization allegedly released it. The domains used to redirect to fake website hosting the app include the following:
Researchers found the fake application also installs a data stealer Trojan called Oski. The Trojan was recently discovered and linked to Russian dark web forums, where it was being sold for profit. Oski is used to steal user credentials, payment information, browser cookies, Two-Factor-Authentication (2FA) databases, saved login credentials, and information related to cryptocurrency wallets.
The Oski stealer collects more than login info
The creators of the Oski stealer made it compatible with a wide range of web browsers. At the same time it might collect files from cryptocurrency wallets from services like Dash, Ethereum, Litecoin, Electrum and potentially more. The creators of the malware claim their info stealer may also pick up login credentials stored in SQL databases of web browsers and the Windows registry. Once the hackers gain access to the information the router collects, they may use it for their purposes. That may include hijacking crypto wallets and stealing cryptocurrencies, using login details to perform identity theft, or focusing on phishing scams.
Some users reported their settings might have been compromised due to the weak passwords. They may have had remote access enabled as well, as part of the problem. Users owning a Linksys or D-Link router are advised to sign in with a strong password and to ensure their router settings weren't changed.