Jump to content

Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps


Recommended Posts


A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware.

For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO).

After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.

As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker's control.

Hijack Windows NCSI active probes 

At this time, it is not known how the attackers are gaining access to the routers to change their DNS configuration, but some users state that they had remote access to the router enabled with a weak admin password.


Bottom line - if you allow remote access to your router, you must secure it with a strong admin password.

Edited by itman
Link to comment
Share on other sites

Comment from the above posted link article site:


I had this happen to me. I'm a pretty tech savvy guy, and this totally caught me by surprise. I figured it was a DNS hijack, which I've seen many times helping other people with their computer issues. Anytime I've seen a DNS hijack, it was because someone unknowingly download malware that changed the DNS server in the network settings on the computer. So I checked my network properties and saw that my DNS was unchanged. Then the message popped up on my wife's PC. So we scanned for malware on both machines and it came back clean. Puzzled I grabbed a live linux flash drive and booted it up. Soon as I did, I saw the message about needing to sign in to connect to the internet, and immediately the COVID-19 APP window popped. That's when I knew it wasn't malware on my PCs, but something affecting my entire network. So I started searching around the internet and found this article. Logged into my router, and sure enough, the very IPs listed here were in my router. Fortunately I was never foolish enough to click the "download" button on the popup window. My router is an older Linksys. Maybe since it's older and hasn't had a firmware update in a few years there is an unaddressed vulnerability? I'm VERY tempted to just go out and buy a new router...

Time you ensure your router's firmware is updated to the lastest version if its a D-Link or Linksys router.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...