Wednesday, December 25, 2024
HomeDNSHackers Hijack Home Routers & Change The DNS Settings to Implant Infostealer...

Hackers Hijack Home Routers & Change The DNS Settings to Implant Infostealer Malware

Published on

SIEM as a Service

Researchers discovered a new form of attack that targeted home routers and altered the DNS settings to redirect the victims to a malicious website that delivers the infostealer malware called “Osk” which seems to have emerged in late 2019.

Landing websites are posing with information about the Coronavirus pandemic and force victims to download the app that promises victims to provide “the latest information and instructions about coronavirus (COVID-19)” through the app.

COVID-19 Theme is nowadays badly abused to trap victims using phishing attacks and exploit the victims to steal sensitive data.

- Advertisement - SIEM as a Service

Attackers also use Bitbucket, the popular web-based version control repository hosting service to store the malicious payload, and the Popular URL shorten service TinyURL to hide the link that redirects users to reach the Bitbucket.

Researchers from Bitdefender reported the following key finding of this attack

1.Mostly targets Linksys routers, bruteforcing remote 
management credentials
2. Hijacks routers and alters their DNS IP addresses
3. Redirects a specific list of webpages/domains to a
malicious Coronavirus-themed webpage
4. Uses Bitbucket to store malware samples
5. Uses TinyURL to hide Bitbucket link
6 . Drops Oski inforstealer malware

Compromising The Routers

The attacker probes the internet to find the vulnerable home router to perform the password brute-forcing attack and change the DNS IP settings.

DNS setting is playing an important role in resolving the right IP address to the corresponding domain names.

If the attackers change the DNS IP addresses from the targeted routers, it resolves the user request to any web page that is controlled by the attacker.

The following list of the domain is targetted in this campaign:

  • aws.amazon.com”
  • “goo.gl”
  • “bit.ly”
  • “washington.edu”
  • “imageshack.us”
  • “ufl.edu”
  • “disney.com”
  • “cox.net”
  • “xhamster.com”
  • “pubads.g.doubleclick.net”
  • “tidd.ly”
  • “redditblog.com”
  • “fiddler2.com”
  • “winimage.com”

Users will be redirected to the IP addresses ( 176.113.81.159, 193.178.169.148, 95.216.164.181 ) If the traffic passes through the compromised router and the user will try to reach the above domains.

Changing the DNS settings never raises any red flag and users would believe they’ve landed on a legitimate webpage other than a different IP address.

“The webpages display a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19,” Bitdefender said.

The attacker set the initial hyperlink to https://google.com/chrome which is a clean and well-known domain, but actually, an “on-click” event is set that changes the URL to the malicious one which is hidden with TinyURL.

Once victims click the download button, a malicious file drops from the Bitbucket repository but the victims are completely unaware of it.

“In the final stage of the attack, a malicious file packed with MPRESS is downloaded. This payload is the Oski stealer that communicates with a C&C server for uploading the stolen information.”

Bitdefender telemetry observed that most of the targeted vulnerable routers attempted to exploit were located in Germany, France, and the United States.

Also Read: What is DNS Attack and How Does it Work?

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...