Pierluigi Paganini April 08, 2019

Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a recent Roaming Mantis campaign.

Security experts at Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a new campaign associated with Roaming Mantis gang.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

The latest wave of attacks aimed at spreading phishing links via SMS messages (SMiShing), most of the victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, and Vietnam.

Researchers detected Roaming Mantis-related malware over 6,800 times for more than 950 unique users in the period between February 25 and March 20, 2019.

Experts believe that the recent campaign has a much bigger scale compared with previous ones and the numbers reported in the analysis reflect only a small part of this campaign.

Attackers used a new method of phishing with malicious mobile configurations along with previously observed DNS manipulation technique.

Unlike previous attacks, this time Roaming Mantis attackers used a new landing page to target iOS devices in the attempt to trick victims into installing a malicious iOS mobile configuration.

The configuration allows the launch of the phishing site in a web browser and to gather information from the target’s device.

Android users have been infected with malware that Trend Micro tracked as XLoader and McAfee tracks as MoqHao.

“Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, she sees pop-up messages guiding her to the malicious iOS mobile config installation” reads the analysis published by Kaspersky.

“After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.”

“On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.

In late February 2019, experts detected a URL query of a malicious DNS changer that attackers used to compromise router DNS settings. The attack works if the following conditions are met: no authentication for the router’s control panel from the localnet; the device has an admin session for the router panel; and a simple username and password (or default) are used for the router, such as admin:admin.

Experts at Kaspersky discovered that several hundred routers have been compromised in this way and that all pointed to the rogue DNS IPs.

“We have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a new attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is also still actively used.”
Kaspersky concludes “We find the use of malicious mobile config especially alarming as this may cause serious problems for the users,”

Pierluigi Paganini

(SecurityAffairs – Roaming Mantis, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]