Over the last few days, some members of the BleepingComputer forum began to report their web browser opening on its own and displaying a message for the user to download malware disguised as a “COVID-19 Inform App,” which falsely claimed to be from the World Health Organization (WHO). The cause was DNS settings being changed in their home routers. Although it is not currently known how the attackers are changing the settings, some members of the forum reported having remote administration enabled. Once an attacker gained access to their router, DNS servers would be set to 126.96.36.199 and 188.8.131.52. Eventually, every device on the network that doesn’t set DNS on its own will update to the servers provided by the router.
While connected to a network, Windows computers will periodically probe http://www.msftconnecttest.com/connecttest.txt for a specific response to determine whether or not the device has Internet connectivity. By changing the DNS server settings on the router, every Windows device that uses DNS provided to the router will now ask attacker-controlled DNS servers for the IP address of msftconnecttest.com. When Windows performed a connectivity check, it now went to the malicious site causing the web browser to open.
Clicking on the download button on the website will download the Oski stealer malware. Like many other stealers, Oski will attempt to grab information such as browser cookies and history, saved credentials, payment information, cryptocurrency wallets, and Authy two-factor authentication databases. The malware also takes a screenshot of the desktop at the time of infection.