The coronavirus pandemic is creating a large swath of fraud campaigns. There are the garden variety of social engineering tactics, such as phishing emails or phone calls impersonating the CDC, but more elaborate plans also exist. One such plan involves router hijacking and then changing the DNS settings in order to force users to install a malicious coronavirus app.
The application in question is, according to Bleeping Computer’s Lawrence Abrams, one that claims to be from the World Health Organization. Titled “COVID-19 Inform App,” the application actually has an information-stealing Trojan called Oski.
The attack is incredibly involved but appears to begin via poor admin practices with routers (such as weak passwords). Once the router hijacking has occurred, as Abrams explains, things get interesting:
After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers... As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims... For victims of this attack, when Windows performs this NCSI active probe, instead of being connected to the legitimate 220.127.116.11 Microsoft IP address, the malicious DNS servers send you to a web site located at 18.104.22.168."
The malicious coronavirus application, once it is downloaded, looks for a large amount of information. The Oski Trojan scans for browser activity, passwords, payment information, and much more. It also takes a screenshot of the machine at the time of infection.
To prevent this malicious coronavirus app from being installed on your system, make sure your router is secure with a strong password. Additionally, you should disable the remote administrator function. If you do find yourself redirected to one of these coronavirus apps, obviously don’t download it.
If it is too late for that, scan your machine with a powerful malware scanner and uninstall the application if you find it. If it is indeed there, change all of your passwords and secure any sensitive data as the threat actors behind this have likely stolen your login credentials.
In general, be wary of any information related to the coronavirus pandemic that requires downloads.
Featured image: Wikimedia/Scientific Animations