Roaming Mantis  - New Project - Roaming Mantis DNS hijacking malware Targets Users Globally

Roaming expands Geographically with many new capabilities. Initially, it only the Android , now the authors improved their code by adding more geographies, platform support, and capabilities.

The DNS malware Dubbed Roaming Mantis designed to spread via DNS hijacking method. It redirects the users to the malicious pages and leads to download the Trojanized application spoofed Facebook or Chrome.

According to Kaspersky researchers “In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their /evasion methods.”

Geographical Expanded – Roaming Mantis

Now the landing page and the apk file support for 27 new languages covering Europe and the Middle East, so that the landing page and the malicious apk file will be downloaded corresponding to the device language.

Roaming Mantis  - roaming mantis update 14 - Roaming Mantis DNS hijacking malware Targets Users Globally

According to the Kaspersky report more than 120 users of Kaspersky Lab products were affected in the last 10 days, the most affected countries are Russia, Ukraine, and India.

Phishing Campaign iOS device & mining with

Now the group behind Roaming Mantis targets iOS devices as well, with a phishing site http://[.]apple[.]com to steal the user credentials.

The domain could not be resolved with legitimate DNS as it doesn’t exist and only the rogue DNS can resolve to the domain. If the user establishes the connection via compromised router it resolves with the domains that mimicking the Apple website.

Roaming Mantis  - roaming mantis update 04 - Roaming Mantis DNS hijacking malware Targets Users Globally

The Phishing page supports for 2 languages and it is designed to steal user ID, password, card number, card expiration date and CVV.

Also, it inherits the web mining via a special script executed in the browser. It uses the most popular Coinhive web miner if the user connects to the landing page their CPU usage will increase terribly.

The threat actors behind Roaming Mantis have been quite active in improving their tools. To evade detection, it generates the malicious filename in real-time.

Roaming Mantis  - roaming mantis update 12 - Roaming Mantis DNS hijacking malware Targets Users Globally

With the recent campaign it uses email protocol instead of HTTP to retrieve C2 servers, the malware connects via POP3 to a hardcoded outlook credentials and then extracts the real C2 address using the string “abcd” as an anchor.

Researchers concluded, “The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Source link


Please enter your comment!
Please enter your name here