Journalists at Bleeping Computer drew attention to complaints from users who reported on the forums that they were obsessively offered to download a strange application supposedly informing about COVID-19 and created by WHO. As it turned out, the routers of these people were compromised, and under the guise of an application an infostiller was distributed.
The publication says that in all cases, the victims were the owners of D-Link or Linksys routers, and unknown attackers changed the DNS settings on the devices. It is unclear exactly how the attackers gained access to the devices, but several victims admitted that they could access their routers remotely, and they used weak passwords. So, probably it’s about brute force and enumeration of credentials according to the list of known default values.
Having gained access to the device, attackers change the DNS server addresses to 126.96.36.199 and 188.8.131.52.
Researchers explain that when a computer connects to a network, Microsoft uses the Network Connectivity Status Indicator (NCSI) feature, which periodically checks to see if your Internet connection is active. So, in Windows 10, one of these tests will be connecting to http://www.msftconnecttest.com/connecttest.txt and checking if the answer is “Microsoft Connect Test”. If it does, then the computer is connected to the Internet, and if not, Windows will warn that the Internet is not available.
If the user is working with a compromised router, then the malicious DNS servers force Windows, instead of connecting to the legitimate IP address of Microsoft 184.108.40.206, to connect to the intruders resource located at 220.127.116.11. As a result, instead of sending the aforementioned text file, the site displays a page asking the victim to download and install the fake application “Emergency – COVID-19 Informator” or “COVID-19 Inform App”, supposedly created by WHO.
If the user gets caught by attackers, downloads and installs this application, then instead of information about the coronavirus, he received the Oski Trojan. This malware will try to collect and transmit the following information to the attackers (the list is incomplete):
- browser history;
- Billing information from the browser;
- saved credentials;
- cryptocurrency wallet data;
- text files;
- autocomplete data for forms in the browser;
- DB 2FA Authy identifiers;
- screenshots of the desktop at the time of infection.