Over the last few days, some members of the BleepingComputer forum began to report their web browser opening on its own and displaying a message for the user to download malware disguised as a “COVID-19 Inform App,” which falsely claimed to be from the World Health Organization (WHO). The cause was DNS settings being changed in their home routers. Although it is not currently known how the attackers are changing the settings, some members of the forum reported having remote administration enabled. Once an attacker gained access to their router, DNS servers would be set to 188.8.131.52 and 184.108.40.206. Eventually, every device on the network that doesn’t set DNS on its own will update to the servers provided by the router.
While connected to a network, Windows computers will periodically probe http://www.msftconnecttest.com/connecttest.txt for a specific response to determine whether or not the device has Internet connectivity. By changing the DNS server settings on the router, every Windows device that uses DNS provided to the router will now ask attacker-controlled DNS servers for the IP address of msftconnecttest.com. When Windows performed a connectivity check, it now went to the malicious site causing the web browser to open.
Clicking on the download button on the website will download the Oski stealer malware. Like many other stealers, Oski will attempt to grab information such as browser cookies and history, saved credentials, payment information, cryptocurrency wallets, and Authy two-factor authentication databases. The malware also takes a screenshot of the desktop at the time of infection.
With much of the world embracing remote work due to COVID-19, home routers are a large target. Manufacturers don’t provide many updates, and home users often don’t install the updates that are available. Company-owned computers connected to employees’ home networks are susceptible to attacks against the employees’ home routers. If an employee is tricked into installing malware that steals passwords stored in browsers, it is important to reset passwords for enterprise accounts and external accounts. Binary Defense strongly discourages enabling remote administration on home routers whenever possible. This is a feature most people do not need. Many routers will provide options such as remote web management, SSH and telnet options. Browse through the settings on the router to make sure these are disabled. While checking on settings, also check to see if the firmware is up-to-date! Be cautious about enabling port forwarding. Port forwarding opens up specified devices to traffic from the Internet. Make sure that any devices that are the target of port forwarding rules are kept up-to-date as well.