Malicious coronavirus app spread via router hijacking

The coronavirus pandemic is creating a large swath of fraud campaigns. There are the garden variety of social engineering tactics, such as phishing emails or phone calls impersonating the CDC, but more elaborate plans also exist. One such plan involves router hijacking and then changing the DNS settings in order to force users to install a malicious coronavirus app.

The application in question is, according to Bleeping Computer’s Lawrence Abrams, one that claims to be from the World Health Organization. Titled “COVID-19 Inform App,” the application actually has an information-stealing Trojan called Oski.

The attack is incredibly involved but appears to begin via poor admin practices with routers (such as weak passwords). Once the router hijacking has occurred, as Abrams explains, things get interesting:

After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers... As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims... For victims of this attack, when Windows performs this NCSI active probe, instead of being connected to the legitimate 13.107.4.52 Microsoft IP address, the malicious DNS servers send you to a web site located at 176.113.81.159."

The malicious coronavirus application, once it is downloaded, looks for a large amount of information. The Oski Trojan scans for browser activity, passwords, payment information, and much more. It also takes a screenshot of the machine at the time of infection.

To prevent this malicious coronavirus app from being installed on your system, make sure your router is secure with a strong password. Additionally, you should disable the remote administrator function. If you do find yourself redirected to one of these coronavirus apps, obviously don’t download it.

If it is too late for that, scan your machine with a powerful malware scanner and uninstall the application if you find it. If it is indeed there, change all of your passwords and secure any sensitive data as the threat actors behind this have likely stolen your login credentials.

In general, be wary of any information related to the coronavirus pandemic that requires downloads.

Featured image: Wikimedia/Scientific Animations

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

16 mins ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

3 hours ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

21 hours ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

1 day ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

1 day ago

Ansible: Introduction to this open-source automation platform

In this first of several articles on Ansible, we give you a high-level overview of…

2 days ago