There has been a news in recent days attack that abuses the routers' DNS settings. Then, the web browsers show alerts for one fake application information for COVID-19. The application is supposed to come from World Health Organization. In fact, it doesn't exist application, but the malicious one software Oski stealing information.
In the last five days, people report that the web browser opens by itself and displays a message asking them to download one COVID-19 Inform App of the World Health Organization.
How is DNS settings misused?
It is not known at this time how the attackers acquire access to routers to change the DNS configuration, but some users state that it may have been because of her enabled remote access or weak passwords.
Once the hackers gain access, they change the settings, affecting the computers connected to the router.
When a computer is connected to a network, the Microsoft uses a function called Network Connectivity Status Indicator (NCSI) », which periodically runs some detectors that check if one computer is actively connected to the Internet.
In Windows 10, one of these active crawlers logs on to the http://www.msftconnecttest.com/connecttest.txt site and checks if the returned content contains the string “Test Microsoft Connect ”.
If this is the case, then the computer is connected to the Internet. If not, Windows warns that the Internet is inaccessible.
When Windows runs this NCSI detector, the victims this attack is not affiliated with the legal Microsoft 22.214.171.124 IP address. Malicious DNS servers send them to a website located at 126.96.36.199.
This IP address is under the control of the attacker, and instead of sending back a simple text file, it displays a page asking the victim to download and install a fake application WHERE with information about him coronavirus ('Emergency - COVID-19 Informator' or 'COVID-19 Inform App').
If a user downloads and installs the COVID-19 application, will install on his computer Oski Trojan.
The malware will then attempt to steal the following information:
- cookies of the browser
- browser history
- cryptocurrency wallets
- stored credentials
- text files
- 2FA database authenticator
- screenshot of your desktop at the time of infection
- other clues
This information is then uploaded to a remote server controlled by hackers. Attackers can use the data to make it happen other attacks on online accounts (bank account theft, identity theft or more Phishing attacks).
What should you do if you fall victim to this attack?
If your browser accidentally opens a page promoting a coronary information application (COVID-19), then you should connect to your router and make sure it receives DNS servers from your ISP.
Each router has a different way of configuring DNS servers.
In general, however, you can follow these steps:
- Connect to your router
- Find the DNS settings and make sure there are no servers, especially 188.8.131.52 and 184.108.40.206, configured manually. If present, set the DNS servers to "Automatic" or the ISP.
- Then save the settings.
- Restart on all mobile devices, game consoles, and computers so you can be sure they are using the correct DNS settings from your ISP.
As they are users report that their settings have changed due to weak password and remote management enabled, it is important to change your password and disable remote management on routers.
Finally, if you downloaded and installed the fake one application, you should immediately scan your computer for malware.
Then, you'll need to change all the passwords you use on sites and accounts. Choose large and strong passwords.