BUCHARIST, Romania–In what shouldn’t surprise many people, a new report has found an increase in cybercriminals’ attacks on home routers as more company and credit union executives work from home due to the coronavirus pandemic.
To make matters worse, criminals are frequently turning to scam emails that purport to be related to the coronavirus to get their intended victims to click on links that install malware that then targets the home routers and changes their DNS settings to redirect victims to a malware-serving website that delivers the Oski infostealer as a final payload, according to BitDefender.
“What’s interesting about the attack is that it stores malicious payloads using Bitbucket, the popular web-based version control repository hosting service,” BitDefender said. “To make sure the victim doesn’t suspect foul play, attackers also abuse TinyURL, the popular URL-shortening web service, to hide the link to the Bitbucket payload.”
According to BitDefender, the webpage to which users are redirected mentions the Coronavirus pandemic, promising to offer for download an application that will give out “the latest information and instructions about coronavirus (COVID-19).”
A ‘Recurring Theme’
BitDefender reported COVID-19 is a “recurring theme” that cybercriminals have been abusing to trap victims.
Key findings in the BitDefender analysis include:
- Mostly targets Linksys routers, bruteforcing remote management credentials
- Hijacks routers and alters their DNS IP addresses
- Redirects a specific list of webpages/domains to a malicious Coronavirus-themed webpage
- Uses Bitbucket to store malware samples
- Uses TinyURL to hide Bitbucket link
- Drops Oski inforstealer malware
The full report can be found here.