The COVID-19 crisis has also given people with ill intent more ammunition. People have reported a new type of cyber attack which targets DNS settings to make web browsers display alerts for a fake COVID-19 information app from the World Health Organization. The attackers are known to use 109.234.35.230 and 94.103.82.249 as DNS settings. Computers connecting to routers using these settings will then also utilize these settings and will be prompted through misuse of the Microsoft NCSI feature which will redirect to a website under the attacker’s control instead of the usual Microsoft website. Users will be prompted to download a COVID-19 app which actually is a Oski information-stealing Trojan.
To detect whether users are affected by this cyber attack, the audit below shows Windows computers who have one of the specified IP’s in their DNS settings. Once detected, you can take action, revert the DNS changes and review your network security as it is most likely compromised.
DNS Hack Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblNetwork.DNSServerSearchOrder As DNSserver,
tblNetwork.IPAddress As NetworkIPAddress,
tblNetwork.IPSubnet,
tblNetwork.Lastchanged
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tblAssets.OScode = tsysOS.OScode
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNetwork On tblAssets.AssetID = tblNetwork.AssetID
Where tblState.Statename = 'Active' And tblNetwork.IPAddress <> '0.0.0.0' And
tblNetwork.IPAddress <> '' And tblNetwork.IPEnabled = 'True' And
tblNetwork.DNSServerSearchOrder Like '%109.234.35.230%' Or tblNetwork.DNSServerSearchOrder Like '%94.103.82.249%'
Order By tblAssets.AssetName,
tblAssets.Domain,
DNSserver