25.03.2020
New Brute-Force Attack Aims at Home Routers as More People Work Remotely
Bitdefender researchers have recently found a new attack that targets home routers and changes their DNS settings to redirect victims to a malware-serving website that delivers the Oski infostealer as a final payload.
What’s interesting about the attack is that it stores malicious payloads using Bitbucket, the popular web-based version control repository hosting service. To make sure the victim doesn’t suspect foul play, attackers also abuse TinyURL, the popular URL-shortening web service, to hide the link to the Bitbucket payload.
Sure enough, the webpage to which users are redirected mentions the Coronavirus pandemic, promising to offer for download an application that will give out “the latest information and instructions about coronavirus (COVID-19)”.
COVID-19 is a recurring theme that cybercriminals have been abusing to trap victims. Malicious reports involving coronavirus-themed malware have increased five-fold in March from February, with attackers using phishing scams that exploit Coronavirus misinformation and fear regarding medical supply shortage.
Key findings:
- Mostly targets Linksys routers, bruteforcing remote management credentials
- Hijacks routers and alters their DNS IP addresses
- Redirects a specific list of webpages/domains to a malicious Coronavirus-themed webpage
- Uses Bitbucket to store malware samples
- Uses TinyURL to hide Bitbucket link
- Drops Oski inforstealer malware
How the attack works
While it’s not uncommon for hackers to piggyback global news, such as the pandemic, to deliver phishing emails laced with tainted attachments, this recent development proves they are nothing if not creative in compromising victims. Attackers seem to have been probing the internet for vulnerable routers, managing to compromise them – potentially via bruteforcing passwords – and changing their DNS IP settings.
DNS settings are very important, as they work like a phone book. Whenever users type in the name of a website, DNS services can send them to the corresponding IP address that serves that particular domain name. In a nutshell, DNS works pretty much like your smartphones agenda: whenever you want to call someone you just look up their name instead of having to memorize their phone number. Once attackers change the DNS IP addresses, they can resolve any request and redirect users to webpages that attackers control, without anyone being the wiser.