Attackers are nothing if not opportunistic, and a recently discovered campaign that targets home-office wireless routers and redirects victims to malicious sites that install an information stealer illustrates perfectly just how cynical they can be.
The attacks take advantage of the uncertainty and anxiety surrounding the COVID-19 outbreak to entice victims into installing an app that is disguised as a source of information about the virus from the World Health Organization. The app does nothing of the sort, of course, and instead installs the Oski malware, which steals a wide range of sensitive system and personal information and sends it to a remote server. The theme of cybercrime groups and phishing gangs taking advantage of trending topics or world events is an old one and each new crisis brings out the basest instincts in the attacker population, but this is not a simple phishing campaign. Researchers at Bitdefender uncovered this campaign and found that it has been targeting some models of Linksys routers, and possibly others.
This attack chain begins with an adversary compromising the victim’s home router, likely by brute-forcing the admin credentials. For many models of home wireless routers, the default credentials are widely known and rarely ever changed by individual users, so they make for easy pickings. Once the adversary has a foothold on the router, he changes the default DNS settings to point to servers he controls. This effectively gives the attacker control over what sites the victims will see, regardless of what sites they’re trying to visit. In this case, the attackers redirect victims to a site they control that presents them with the page urging them to install the malicious virus-tracking app. The attack targets a relatively small list of domains, but some of them are highly trafficked, including disney.com and an Amazon subdomain.
This campaign is especially troubling given the number of people who are now working remotely and relying on their home Internet connections.
“What’s interesting is that, by changing the DNS settings on the router, users would actually believe they’ve landed on a legitimate webpage, except that it’s served from a different IP address. For example, when users type “example.com”, instead of the webpage being served from a legitimate IP address, it would be served from an attacker-controlled IP that's resolved by the malicious DNS settings,” Liviu Arsene of Bitdefender said in an analysis of the attack campaign.
“If the attacker-controlled webpage is a spot-on facsimile, users would actually believe they’ve landed on a legitimate webpage, judging from the domain name in the browser’s address bar.”
To add extra layers of legitimacy to the attack, the adversaries also use Bitbucket, a legitimate hosting service, to deliver the malicious payload and cloak the URL by using TinyURL. All of these tricks are designed to take the victim’s attention away from any suspicion that this might be an attack and entice him into downloading the malware.
“In the final stage of the attack a malicious file packed with MPRESS is downloaded. This payload is the Oski stealer that communicates with a C&C server for uploading the stolen information,” Arsene said. “Oski is a relatively new infostealer that seems to have emerged in late 2019. Some of the features that it packs revolve around extracting browser credentials and cryptocurrency wallet passwords, and its creators even brag that it can extract credentials stored in SQL databases of various Web browsers and Windows Registry.”
The initial method of compromise for the routers isn’t certain, but the brute-force method appears to be the most likely scenario. Arsene said Bitdefender has found victims in a number of countries, but the United States, France, and Germany account for the lion’s share.