Roaming Mantis extends DNS hijacking attacks from Asia to rest
of world, adds crypto-mining
of world, adds crypto-mining
On 16 April, Kaspersky Lab
researchers reported on
a new Android malware distributed through a domain name system (DNS) hijacking
technique and targeting mainly smartphones in Asia. Four weeks on, the threat
continues to evolve rapidly and has now extended its target geography to
include Europe and the Middle East, adding a phishing option for iOS devices
and PC crypto-mining capability. The campaign, dubbed Roaming Mantis is
designed mainly to steal user information including credentials and to provide
attackers with full control over the compromised device. The researchers
believe a Korean- or Chinese-speaking cybercriminal group looking for financial
gain is behind the operation.
researchers reported on
a new Android malware distributed through a domain name system (DNS) hijacking
technique and targeting mainly smartphones in Asia. Four weeks on, the threat
continues to evolve rapidly and has now extended its target geography to
include Europe and the Middle East, adding a phishing option for iOS devices
and PC crypto-mining capability. The campaign, dubbed Roaming Mantis is
designed mainly to steal user information including credentials and to provide
attackers with full control over the compromised device. The researchers
believe a Korean- or Chinese-speaking cybercriminal group looking for financial
gain is behind the operation.
Method of attack
Kaspersky Lab’s findings indicate that the
attackers behind Roaming Mantis seek out vulnerable routers for compromise, and
distribute the malware through a simple yet very effective trick of hijacking
the DNS settings of those infected routers. The method of router compromise
remains unknown. Once the DNS is successfully hijacked, any attempt by users to
access any website leads them to a genuine-looking URL with forged content
coming from the attackers’ server. This includes the request: “To better
experience the browsing, update to the latest chrome version.” Clicking on the
link initiates the installation of a Trojanized application named either
‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android
backdoor.
attackers behind Roaming Mantis seek out vulnerable routers for compromise, and
distribute the malware through a simple yet very effective trick of hijacking
the DNS settings of those infected routers. The method of router compromise
remains unknown. Once the DNS is successfully hijacked, any attempt by users to
access any website leads them to a genuine-looking URL with forged content
coming from the attackers’ server. This includes the request: “To better
experience the browsing, update to the latest chrome version.” Clicking on the
link initiates the installation of a Trojanized application named either
‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android
backdoor.
The Roaming Mantis malware checks to see if
the device is rooted and requests permission to be notified of any communications
or browsing activity undertaken by the user. It is also capable of
collecting a wide range of data, including credentials for two-factor
authentication. Their interest in this and the fact that some of the malware
code includes references to mobile banking and game application IDs popular in
South Korea suggest a possible financial motive behind this campaign.
the device is rooted and requests permission to be notified of any communications
or browsing activity undertaken by the user. It is also capable of
collecting a wide range of data, including credentials for two-factor
authentication. Their interest in this and the fact that some of the malware
code includes references to mobile banking and game application IDs popular in
South Korea suggest a possible financial motive behind this campaign.
Expanded target geography and features
Kaspersky Lab’s initial research uncovered
around 150 targets, mainly in South Korea, Bangladesh, and Japan, but it also
revealed thousands of connections hitting the attackers’ command & control
(C2) servers on a daily basis, pointing to a far larger scale of attack. The
malware included support for four languages: Korean, simplified Chinese, Japanese,
and English.
around 150 targets, mainly in South Korea, Bangladesh, and Japan, but it also
revealed thousands of connections hitting the attackers’ command & control
(C2) servers on a daily basis, pointing to a far larger scale of attack. The
malware included support for four languages: Korean, simplified Chinese, Japanese,
and English.
The attack range has now been extended,
supporting 27 languages in all, including Polish, German, Arabic, Bulgarian and
Russian. The attackers have also introduced a redirection to Apple-themed
phishing pages if the malware encounters an iOS device. The latest addition to
the arsenal is a malicious website with PC crypto-mining capability. Kaspersky Lab’s
observations suggest that at least one wave of wider attacks has taken place,
with researchers noting over 100 targets among Kaspersky Lab customers within a
few days.
supporting 27 languages in all, including Polish, German, Arabic, Bulgarian and
Russian. The attackers have also introduced a redirection to Apple-themed
phishing pages if the malware encounters an iOS device. The latest addition to
the arsenal is a malicious website with PC crypto-mining capability. Kaspersky Lab’s
observations suggest that at least one wave of wider attacks has taken place,
with researchers noting over 100 targets among Kaspersky Lab customers within a
few days.
“When we first reported on Roaming Mantis
in April we said that it was an active and rapidly changing threat. New
evidence shows a dramatic expansion in target geography to include Europe and
the Middle East, and more. We believe the attackers are cybercriminals looking
for financial gain and have found a number of clues to suggest that the
attackers speak either Chinese or Korean. There is clearly considerable
motivation behind this threat, so it is unlikely to diminish any time soon. The
use of infected routers and hijacked DNS highlights the need for robust device
protection and the use of secure connections,” says Suguru Ishimaru, Security
Researcher at Kaspersky Lab Japan.
in April we said that it was an active and rapidly changing threat. New
evidence shows a dramatic expansion in target geography to include Europe and
the Middle East, and more. We believe the attackers are cybercriminals looking
for financial gain and have found a number of clues to suggest that the
attackers speak either Chinese or Korean. There is clearly considerable
motivation behind this threat, so it is unlikely to diminish any time soon. The
use of infected routers and hijacked DNS highlights the need for robust device
protection and the use of secure connections,” says Suguru Ishimaru, Security
Researcher at Kaspersky Lab Japan.
Kaspersky Lab products detect the Roaming
Mantis threat as ‘Trojan-Banker.AndroidOS.Wroba’, and the crypto-miner as
‘Dangerous URL blocked’.
Mantis threat as ‘Trojan-Banker.AndroidOS.Wroba’, and the crypto-miner as
‘Dangerous URL blocked’.
In order to protect
your internet connection from this infection, Kaspersky Lab recommends the
following:
your internet connection from this infection, Kaspersky Lab recommends the
following:
● Refer to your router’s user manual to verify
that your DNS settings haven’t been tampered with, or contact your ISP for
support.
that your DNS settings haven’t been tampered with, or contact your ISP for
support.
● Change the default login and password for the
admin web interface of the router and regularly update your router’s firmware
from the official source.
admin web interface of the router and regularly update your router’s firmware
from the official source.
● Never install router firmware from third party
sources. Avoid using third-party repositories for your Android devices.
sources. Avoid using third-party repositories for your Android devices.
● Further, always check browser and website
addresses to ensure they are legitimate; look for signs such as https when
asked to enter data.
addresses to ensure they are legitimate; look for signs such as https when
asked to enter data.
● Consider installing a mobile security
solution, such as Kaspersky Internet Security for
Android, to protect your devices from these and other threats.
solution, such as Kaspersky Internet Security for
Android, to protect your devices from these and other threats.
For more information
on Roaming Mantis and technical information, please read the blogpost on
Securelist.
on Roaming Mantis and technical information, please read the blogpost on
Securelist.
About Kaspersky Lab
Kaspersky Lab is a
global cybersecurity company, which has been operating in the market for over
20 years. Kaspersky Lab’s deep threat intelligence and security expertise is
constantly transforming into next generation security solutions and services to
protect businesses, critical infrastructure, governments and consumers around
the globe. The company’s comprehensive security portfolio includes leading
endpoint protection and a number of specialized security solutions and services
to fight sophisticated and evolving digital threats. Over 400 million users are
protected by Kaspersky Lab technologies and we help 270,000 corporate clients
protect what matters most to them. Learn more at www.kaspersky.com.
global cybersecurity company, which has been operating in the market for over
20 years. Kaspersky Lab’s deep threat intelligence and security expertise is
constantly transforming into next generation security solutions and services to
protect businesses, critical infrastructure, governments and consumers around
the globe. The company’s comprehensive security portfolio includes leading
endpoint protection and a number of specialized security solutions and services
to fight sophisticated and evolving digital threats. Over 400 million users are
protected by Kaspersky Lab technologies and we help 270,000 corporate clients
protect what matters most to them. Learn more at www.kaspersky.com.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
