Not only is the number of phishing campaigns increasing, now that many people worldwide are working from home because of the corona virus, but there has also been an increase in attacks by hackers who want to get malware onto a system by other means. The same goes for pointing arrows at routers in homes.
Researchers at Bitdefender observed a series of new attacks aimed at altering DNS settings. The main target would be Linksys’ routers (which would brutally process login data). After the DNS IP address has changed, the user is redirected to a page with news about the corona virus when visiting a series of frequently visited pages (including Amazon, but also porn sites). Here, an application is then offered that would provide information and instructions.
The app contains malware (Oski infostealer), but the URL of the page is partially shielded using TinyURL; a popular service that allows long site names to be shortened for easier sending. The malware downloaded via Bitbucket is not only hard to see through TinyURL, because of the other DNS settings users are not aware of.
As soon as the DNS settings are changed in the router, requests to open a web page are sent from two IPs: 18.104.22.168 and 22.214.171.124. All the hackers have to do is send a popup along when visiting a series of web pages (part of which can be found on Bitdefender’s site).
Bitbucket (from which the malware was downloaded) has closed two of the accounts found by Bitdefender, two others are still open. The number of downloads of the content on those accounts is still just over a thousand, but Bitdefender expects the number of victims to be significantly higher than that: however, nothing can be found of the closed two accounts.