Landing websites present information about the Coronavirus pandemic and compel victims to download an app promising to provide victims “the latest information and instructions about coronavirus (COVID-19)” through the app. COVID-19 Nowadays theme is badly exploited to lure victims using phishing attacks and trick victims to steal confidential information. Attackers can use Bitbucket, the famous web-based version control repository hosting service to store malicious payload, and TinyURL, the current URL shorten service to cover the connection that redirects users to get to the Bitbucket. Bitdefender investigators confirmed the following main findings of this attack Attacker searching the internet to locate the vulnerable home router to execute a brute-forcing attack on the password and change the DNS IP settings. DNS configuration plays a significant role in the determination of the right IP address for the respective domain names. If the attackers modify the DNS IP addresses from the targeted routers, the user request will be resolved to any web page which the attacker controls. In this campaign, the following domain list is targeted:
aws.amazon.com” “goo.gl” “bit.ly” “washington.edu” “imageshack.us” “ufl.edu” “disney.com” “cox.net” “xhamster.com” “pubads.g.doubleclick.net” “tidd.ly” “redditblog.com” “fiddler2.com” “winimage.com”
Users will be routed to the IP addresses (176.113.81.159, 193.178.169.148, 95.216.164.181) if the traffic that passes through the compromised router and the user tries to access the domains mentioned above. Changing the DNS settings never raises any red flag and users will believe they have landed on a legitimate website other than another IP address. Attacker sets the initial hyperlink to https:/google.com/chrome, a clean and well-known domain but, in reality, an “on-click” event is set that changes the URL to the malicious one hidden with TinyURL. When victims press the download button, the Bitbucket repository drops a malicious file, but the victims are unaware of it. Bitdefender telemetry found that most of the targeted vulnerable routers in Germany, France and the United States are attempted to hack.
