For almost a week, a group of hackers has been breaking into people's routers and changing DNS settings in order to point unsuspecting device users to-related sites pushing malware.
According to Bitdefender, hackers are using brute-force attacks to guess the admin password of targeted routers. Once they guess a password and get in, hackers change the router's default DNS server settings, pointing the device to their own servers.
This means that every DNS query made by users connected to a hijacked router goes through the hackers' DNS servers, giving the attackers full control over what sites a user accesses.
Per reports, when users attempt to access a list of particular domains, hackers have been redirecting users to a custom site urging users to install a coronavirus (COVID-19) information app.
Both Bitdefender and Bleeping Computer said this app installs a version of the Oski trojan. Oski is a recent infostealer trojan sold on Russian-speaking dark web forums. The trojan's primary function is to steal account credentials from browsers and cryptowallet files to hijack cryptocurrency accounts.
Per Bitdefender, users have reported being redirected to the malicious coronavirus-themed site when they tried to access one of the following domains:
The malicious DNS servers used by hackers are 220.127.116.11 and 18.104.22.168. If ZDNet readers use a D-Link or Linksys router they should connect to the device's admin panel and check if these two IP addresses appear in the DNS settings section.
If they do, users should remove the DNS server IP addresses and change the router's admin panel password.
This campaign first began on March 18 and is currently ongoing. D-Link and Linksys owners should be on the lookout for any unprompted requests to download and install coronavirus-related apps -- a common malware lure these days, for both common cybercriminals and state-sponsored groups alike.