The Roaming Mantis Malware is currently targeting users from South Korea. However, Kaspersky cybersecurity experts suspect that its reach will expand soon.
Kaspersky Labs reports that the notorious Roaming Mantis attack, also known as Shaoye, has returned with a new scheme. Hackread.com reported that Roaming Mantis operators exploit DNS changer functionality in order to misuse compromised public WiFi routers.
It is intended to infect a lot of Android phones with the Wroba.o mobile virus (also known as Agent.eq Moqhao and XLoader). Users in South Korea are the main target for this campaign. Kaspersky cybersecurity experts suspect that the campaign’s scope will be widening soon.
Threat Analysis
Researchers discovered that Roaming Mantis malware attackers have rewritten Wroba, their patent mobile malware Wroba to as well hijacking Domain Name System/DNS.
The malicious attack targets South Korean WiFi routers made by one of South Korea’s top network equipment suppliers.
Recently, the campaign introduced DNS changer functionality to its mobile malware. DNS changer, a malicious attack technique, forces devices connected to infected WiFi routers to redirect to an attacker-controlled server rather than a legitimate DNS server.
On this malicious landing page, the victim will be asked to install malware that . Kaspersky observed 508 suspicious APK downloads in December 2022.
What is the Attack?
This new DNS changer function first checks the router’s IP to determine its model. Then, it compromises targeted devices by changing the DNS settings. Some devices compromised by WiFi routers redirect users to fake landing pages using DNS hijacking.
The attackers can use mobile malware to carry out malicious actions regardless of the method used. Suguru Ishimaru this functionality can manage all devices communications through the infected router. This includes redirecting to malicious hosts or disabling security products updates.
The Roaming Mantis
Roaming Mantis, a long-running, financially motivated cybercrime campaign, infected Android phones with malware that steals banking credentials and other sensitive information. Kaspersky first noticed the campaign in . It used DNS hijacking infect Android phones and steal data.
To steal data and gain control over infected Android phones, it used malware APK (Android Package) files. A phishing option can be used for . The cyber criminals behind this scam expanded their reach to France and Germany after they had targeted Asian victims.
How can you stay protected?
To protect your internet connection against infection, refer to the router’s manual. If your DNS settings are altered or altered you can contact your ISP. You should change your router’s default password and login information. It is also important to regularly upgrade its firmware, which can be done from an official source. Before visiting, verify that the browser and URLs are authentic. Also, before you enter any data, make sure to check that they have been verified.
