Roaming Mantis SMSishing campaign now targets Europe

The Roaming Mantis SMS phishing campaign is now targeting Android and iPhone users in Europe with malicious apps and phishing pages.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Roaming Mantis is a credential theft and malware campaign that leverages smishing to distribute malicious Android apps in the format of APK files.

Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

The latest wave of attacks aimed at spreading phishing links via SMS messages (SMiShing), most of the victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, and Vietnam.

Now the Roaming Mantis SMS phishing campaign is targeting Android and iPhone users in Germany and France with malicious apps and phishing pages.

Starting from April 2019, the campaign started using a new landing page to target iOS devices in the attempt to trick victims into installing a malicious iOS mobile configuration.

The configuration allows the launch of the phishing site in a web browser and to gather information from the target device.

In recent Roaming Mantis campaigns, operators employed a trojan dubbed ‘Wroba‘ in attacks aimed at users in France and Germany. The infection chain starts with an SMS containing

“Our latest research into Roaming Mantis shows that the actor is focusing on expanding infection via smishing to users in Europe. The campaign in France and Germany was so active that it came to the attention of the German police and French media. They alerted users about smishing messages and the compromised websites used as landing pages.” reads the analysis published by Kaspersky.

The infection chain starts with an SMS text on the target device, which contains a warning message about a shipped package with an included URL.

Upon clicking on the link, a victim is redirected to a phishing page designed to steal the user’s Apple login credentials.

If the victim uses an Android device, they will be redirected to a page that attempt to trick them into installing malware disguised as an Android app. Below are some of the impersonated apps, containing Wroba, used in this campaign:

Roaming Mantis operators employed various obfuscation techniques in the landing page script in order to evade detection.

The analysis of Wroba.g/Wroba.o samples revealed several modifications in the loader module and payload.

The Wrogba loader and payload are now written in Kotlin, instead of Java that was used in the past as a programming language. Another change is related to the list of commands supported by the backdoor that now includes “get_gallery” and “get_photo” that allows operators to steal the victim’s photos and videos.

“It has been almost four years since Kaspersky first observed the Roaming Mantis campaign. Since then, the criminal group has continued its attack activities by using various malware families such as HEUR:Trojan-Dropper.AndroidOS.Wroba, and various attack methods such as phishing, mining, smishing and DNS poisoning. In addition, the group has now expanded its geography, adding two European countries to its main target regions.” concludes Kaspersky. “We predict these attacks will continue in 2022 because of the strong financial motivation.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Roaming Mantis)

[adrotate banner=”5″]

[adrotate banner=”13″]