Threat Management, Malware

Hijacked routers and attempted WHO hack highlight latest COVID-19 attacks


Businesses remain closed in many major cities around the world as the coronavirus pandemic rages, but cybercriminals are still open for business, as they continue to use the crisis to serve their nefarious purposes.

Today's latest round-up of coronavirus threats includes a reported hacking attempt against the World Health Organization, a DNS hijacking attack designed to to spread a malicious COVID-19 app, and a bizarre plot to spread malware via a digital anti-virus solution.

Possible APT group targets the WHO

Sophisticated hackers, possibly from an international advanced persistent threat group, reportedly attempted to hack into the systems of the World Health Organization earlier this month.

The culprits and their precise motive are unknown, but two unnamed sources reportedly told Reuters that they suspect the actor is DarkHotel, a well-established APT group that is reputedly tied to East Asia, and more specifically, Korea.

The WHO's CISO Flavio Aggio reportedly told Reuters that there has been a significant increase in hacking attempts against the health agency amidst the coronavirus pandemic; however, this particular incident was unsuccessful.

Alexander Urbelis, a cyber expert with Blackstone Law Group, is credited with first detecting the malicious activity, after observing the hackers stand up a malicious website that impersonated the WHO's internal email system.

Later, Aggio reportedly confirmed that the phony website had been used in an attempt to steal passwords from members of the agency's workforce. Meanwhile, Costin Raiu, head of global research and analysis at Kaspersky, reportedly noted that the same web infrastructure has been recently used to target other health care and humanitarian organizations.

Routers Hijacked to Deliver Fake COVID-19 App Alert

Malicious actors are reportedly hijacking home routers and changing their DNS configurations in order to redirect Windows computer users to malicious content, in the form of a fake WHO alert.

According to BleepingComputer, victims of the campaign have observed their web browsers opening up by themselves and displaying a phony message that instructs them to download a supposed COVID-19 information app called "Emergency - COVID-19 Informator" or "COVID-19 Inform App." In reality, however, this app is actually the information-stealing malware known as Oksi.

Oksi is capable of stealing browser-based data -- including cookies, internet history and payment information -- as well as saved login credentials, cryptocurrency wallets, text files, browser form autofill information and Authy 2FA authenticator databases.

It is unknown how the attackers have been compromising the affected routers -- which includes models from D-Link and Linksys -- but reports say some victims left their remote access capabilities open, and also used weak passwords.

"This attack highlights the need for people to make sure they change the default username/password for their home router, as a number of the affected users admitted having a weak or default combination," said Laurence Pitt, global security strategy director at Juniper Networks. Most internet providers today provide routers that have a decent strength default security setup. It appears that this attack has targeted a certain brand of router, [which] would also indicate that users have left the default admin/password combination to access the device.”

BleepingComputer says the website redirect happens when compromised Windows machines use their built-in "Network Connectivity Status Indicator (NCSI)" feature to check for internet connectivity. Instead of resolving to the correct Microsoft IP address to perform this check, the servers send the user to a hacker-controlled site that displays the alert.

Users whose browsers are exhibiting this strange behavior should reconfigure their routers so that they automatically receive their DNS servers from the ISP, the report finishes.

Although this is largely a home router issue, Justin Jett, director of audit and compliance at Plixer, said that companies must be mindful of the threat too, as millions of business employees work from home to reduce exposure to the coronavirus.

"...[O]rganizations should be sure to have a solid VPN infrastructure in place for remote workers to connect to," said Jett. "This will provide employees using company laptops to securely connect to the corporate network without using the internal home network’s DNS settings."

Also, "be sure to have network traffic analytics configured in the network to monitor connections from remote workers that may have been affected by home network malware," Jett added. "This will help network and security teams identify where malware is present."

Bizarre Anti-Virus Scam Spreads RAT

In one of the oddest COVID-19 cyber plots, malicious actors set up a scam website that advertises a phony digital anti-virus solution that people can download on their computers to supposedly protect them from the coronavirus.

The website, antivirus-covid19[.]site, makes a truly strange claim. "Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running," the site says, according to a company by blog post from Malwarebytes.

But downloading this program actually infects users with the BlackNET remote access trojan. BlackNET grants multiple capabilities to attackers, who can launch DDoS attacks, take screenshoots, perform key logging, steal saved passwords and Firefox cookies, steal from Bitcoin wallets, execute scripts and more.

Ginp banking trojan adds 'Coronavirus Finder' scam to bag of tricks

A new version of the Ginp banking trojan – traditionally known for infected Android device users and tricking them into giving away their credit card information – has the ability to send its victims a new lure inspired by the coronavirus pandemic.

Per a new blog post from Kaspersky, Ginp can now receive a command to open up a phony web page called “Coronavirus Finder” that claims to show users who is infected with COVID-19 in their area. But, of course, there’s a catch: users must pay with their credit card information in order to receive this supposedly vital information.

“Once you fill in your credit card data, it goes directly to the criminals… and nothing else happens,” states the blog post, from Kasperksy Malware Analyst Alexander Eremin. “They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with coronavirus near you, because they don’t have any.”

Ginp largely infects Android devices owners based in Spain, but Kaspersky theorizes that this latest version of the malware could potentially be used in a more geographically dispersed campaign. "…[T]his is a new version of Ginp that is tagged 'flash-2,' while previous versions were tagged 'flash-es12,' Eremin states in the Kaspersky blog post. "Maybe the lack of 'es' in the tag of the newer version means that cybercriminals plan to expand the campaign beyond Spain," the report concludes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.