Threat actors associated with the Roaming Mantis attack campaign have been observed distributing updated variants of their patented mobile malware. Bulova Break into Wi-Fi routers and perform Domain Name System (DNS) hijacking.
Kaspersky, which conducted an analysis of the malicious artifact, said the feature was designed to target specific Wi-Fi routers located in South Korea.
Roaming Mantis, also known as Shaoye, is a long-running financial campaign targeting Android smartphone users with malware capable of stealing bank account credentials and harvesting other types of sensitive information.
Since 2018, it has primarily targeted the Asian region, but in early 2022, it was detected that the malware disguised itself as a Google Chrome web browser application, expanding its reach to France and Germany for the first time. I was.
This attack utilizes smishing messages as the initial intrusion vector of choice to deliver malicious APKs or booby traps that redirect victims to phishing pages based on the operating system installed on the mobile device. Distribute the URL.
Alternatively, it utilizes Wi-Fi routers as a means of luring unsuspecting users to fake landing pages using a technique called DNS hijacking, which manipulates DNS queries to redirect the target to a fake site. There is also infringement.
Regardless of the method used, the intrusion paves the way for the deployment of a malware called Wroba (aka MoqHao and XLoader) that can perform numerous malicious activities.
According to the Russian cybersecurity firm, Wroba’s latest update includes a DNS changer feature designed to detect specific routers based on their model number and pollute their DNS settings.
“The new DNS Changer feature can manage all device communication with a compromised Wi-Fi router, including redirecting to malicious hosts and disabling updates for security products,” said a Kaspersky researcher. Suguru Ishimaru said.
The underlying idea is to redirect devices connected to a compromised Wi-Fi router to an attacker-controlled web page for further exploitation. Given that some of these pages deliver her Wroba malware, the attack chain effectively creates a steady stream of “bots” that can be weaponized to infiltrate healthy Wi-Fi routers. increase.
It’s worth noting that the DNS Changer program is only used in South Korea. However, the Wroba malware itself has been seen targeting victims in Austria, France, Germany, India, Japan, Malaysia, Taiwan, Turkey, and the United States via smishing.
“Users with infected Android devices who connect to free or public Wi-Fi networks can spread malware to other devices on the network if the Wi-Fi network they are connecting to is vulnerable.” said the researchers.
