Thursday, January 21, 15:38
Home security Hackers infringe on DNS routers and spread malicious COVID-19 App

Hackers infringe on DNS routers and spread malicious COVID-19 App

DNS routers

There has been a news in recent days attack that abuses the routers' DNS settings. Then, the web browsers show alerts for one fake application information for COVID-19. The application is supposed to come from World Health Organization. In fact, it doesn't exist application, but the malicious one software Oski stealing information.

In the last five days, people report that the web browser opens by itself and displays a message asking them to download one COVID-19 Inform App of the World Health Organization.

Further investigation showed that these alerts were triggered by one attack that changed their DNS servers in housework D-Link or Linksys routers.

As most computers use the IP address and DNS information it provides router their, malicious DNS servers redirect them victims malicious content, which is under the control of the attacker.

How is DNS settings misused?

It is not known at this time how the attackers acquire access to routers to change the DNS configuration, but some users state that it may have been because of her enabled remote access or weak passwords.

Once the hackers gain access, they change the settings, affecting the computers connected to the router.

When a computer is connected to a network, the Microsoft uses a function called Network Connectivity Status Indicator (NCSI) », which periodically runs some detectors that check if one computer is actively connected to the Internet.

In Windows 10, one of these active crawlers logs on to the site and checks if the returned content contains the string “Test Microsoft Connect ”.

If this is the case, then the computer is connected to the Internet. If not, Windows warns that the Internet is inaccessible.

When Windows runs this NCSI detector, the victims this attack is not affiliated with the legal Microsoft IP address. Malicious DNS servers send them to a website located at


This IP address is under the control of the attacker, and instead of sending back a simple text file, it displays a page asking the victim to download and install a fake application WHERE with information about him coronavirus ('Emergency - COVID-19 Informator' or 'COVID-19 Inform App').

If a user downloads and installs the COVID-19 application, will install on his computer Oski Trojan.

The malware will then attempt to steal the following information:

  • cookies of the browser
  • browser history
  • cryptocurrency wallets
  • stored credentials
  • text files
  • 2FA database authenticator
  • screenshot of your desktop at the time of infection
  • other clues

This information is then uploaded to a remote server controlled by hackers. Attackers can use the data to make it happen other attacks on online accounts (bank account theft, identity theft or more Phishing attacks).

What should you do if you fall victim to this attack?

If your browser accidentally opens a page promoting a coronary information application (COVID-19), then you should connect to your router and make sure it receives DNS servers from your ISP.

Each router has a different way of configuring DNS servers.

In general, however, you can follow these steps:

  • Connect to your router
  • Find the DNS settings and make sure there are no servers, especially and, configured manually. If present, set the DNS servers to "Automatic" or the ISP.
  • Then save the settings.
  • Restart on all mobile devices, game consoles, and computers so you can be sure they are using the correct DNS settings from your ISP.

As they are users report that their settings have changed due to weak password and remote management enabled, it is important to change your password and disable remote management on routers.

Finally, if you downloaded and installed the fake one application, you should immediately scan your computer for malware.

Then, you'll need to change all the passwords you use on sites and accounts. Choose large and strong passwords.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...

Microsoft: "Zero trust" protects against sophisticated hacking attacks

According to Microsoft, the techniques used by the hackers of SolarWinds, were sophisticated but common and preventable. To avoid future attacks ...

US: Twitter locks Chinese embassy account due to "dehumanization"

Twitter said it locked the account of the Chinese embassy in the United States for a tweet about its women ...

Ransomware victims pay a ransom to prevent their data from being leaked

Keeping backups is very important, especially in cases of Ransomware attacks. However, it seems that the hackers are using new methods, with ...

QAnon fans: Disappointed on social media after Biden was sworn in

Some QAnon supporters have expressed frustration at online forums and chat rooms over Joe Biden's swearing-in. Most...

COVID-19: Amazon wants to help Biden distribute the vaccines

Amazon has offered to help President Biden distribute COVID-19 vaccines. The letter from Dave Clark, vice president ...

Nitro PDF: Leaked database with 77 million user files!

Hacker leaked on January 20 a stolen database containing email addresses, names and passwords for over ...