Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Coronavirus-related malware spread through hijacked routers

Coronavirus-related malware spread through hijacked routers

As cybercriminals become more and more creative in how they target and gain access to a system, researchers are noticing more coronavirus-related threats. Within the past few weeks, hackers have begun to hijack routers in order to change system settings and redirect victims to a fake app that promotes coronavirus awareness. If a victim downloads the app, cybercriminals release a harvesting malware to steal personal and financial information.


How does this work?

Researchers discovered that hackers are utilizing a new threat vector to target victims in order to infect them with a new info-stealing malware. Cybercriminals are able to hijack routers (mostly Linksys routers) by brute force or man-in-the-browser attacks. And once in, they change the Domain Name System (DNS) settings to redirect victims unknowingly to a fake IP address; the user has no idea their system has been hijacked.

RELATED: Growth of Coronavirus Themed Cyberattacks

As a victim inputs an authentic website name (such as or into the address bar, he/she is instead sent to a hacker-controlled, coronavirus-related app to download. The domain name in the address bar remains unchanged, making the fake page look legitimate. If the app is downloaded, the user’s computer becomes infected with Oski malware, which emerged late 2019 and is known to steal:

  • Browser cookies and history
  • Payment information
  • Saved log-in credentials
  • Cryptocurrency wallets
  • text files
  • Form autofill information
  • Authy’s 2FA authenticator databases
  • A screenshot of your desktop (as proof)


Oski made an impact in North America and China last year, and within a few days of its use through hijacked routers, the U.S., Germany, and France reported 1,193 victims. Researchers expect more within the coming weeks. The initial payload for the cybercriminals seems to be the downloader itself, but the information stolen by Oski can be used to steal money, for identity theft, and even spear phishing.


What can you do to stop this?

With the growth of legitimate news concerning COVID-19 also comes many harmful websites that provide false information (whether known or unknown) or act as downloaders for malware. If a suspicious coronavirus-related app downloader pops up in your browser:
  • Reconfigure your DNS server
  • Change all access and account-related credentials
  • Update all passwords related to the system or that you may have used while hijacked
  • Ensure your firmware is up-to-date
  • Scan your computer with your security software


And, to stop a hijacking from happening to you:
  • Read your coronavirus-related news carefully
  • Don’t click on or download anything without making sure the link is legitimate
  • Keep your system safe by using strong, secure passwords
  • Don’t use form autofill or save passwords in your browser
  • Clear your browser history regularly
  • Scan your computer frequently for viruses and keep everything up-to-date


Finally, be attentive to all incoming email related to the COVID-19 pandemic—malware also occurs with just a few clicks of a malicious email.

SEE RELATED: HIPAA Compliant email: The Definitive Guide

We all have concerns about the pandemic and want to stay on top of the news, but it's important to be vigilant to stop from becoming a victim of cybercriminals.


Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.