Hackers Spread Malware With Fake COVID-19 Info App Via DNS Hijacking Routers

A new malicious campaign is in the wild where hackers are hijacking DNS records to spread malware. The malware aims at stealing information from the target devices. With some changes, however, you can stay protected from these attacks.

DNS Hijacking Attacks Spread Malware

Bleeping Computer unveiled a malicious campaign actively targeting devices. The hackers behind this campaign conduct DNS hijacking attacks to spread malware.

The campaign caught their attention after numerous users began complaining about random prompts on their device browsers. The displayed prompts lured the user with a fake COVID-19 alert to download some informational app.

Further investigation revealed that this activity is part of an organized campaign where the attackers meddle with the DNS server configurations. The malicious DNS servers then redirect the users to malicious content.

Presently, it remains unclear as to how the attackers manage to gain access to the victim routers. However once they succeed, they would likely change the DNS servers to 109.234.35.230 and 94.103.82.249. Then, when a user connects to a network, the change in configuration results in the ‘Network Connectivity Status Indicator (NCSI)‘ feature to display the fake Covid-19 alert (shown below).

Source: Bleeping Computer

Naturally, seeing this prompt seemingly from the ISP and powered by WHO would urge the user to download the app. Doing so lets the embedded Vidar infostealer to install and execute on the target device.

How To Prevent

While a user may avoid downloading the malware by not clicking on the ‘Download’ button, the prompt is still annoying. Fortunately, there is a simple solution to prevent and resolve this matter.

Log in to your router admin portal, check for the appearance of 109.234.35.230 and 94.103.82.249 servers. If they are absent, you are safe, if not, set the DNS servers to ‘Automatic’ or ISP assigned. Save this router configuration and reboot to let the new DNS settings become active.

If someone has fallen prey to the infostealer, scan the device with a robust antimalware solution to get rid of it.

Let us know your thoughts in the comments.

 

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers