{"id":50224,"date":"2023-01-19T18:54:00","date_gmt":"2023-01-19T18:54:00","guid":{"rendered":"https:\/\/www.darkreading.com\/remote-workforce\/roaming-mantis-uses-dns-changers-to-target-users-via-compromised-public-routers"},"modified":"2023-01-19T18:54:00","modified_gmt":"2023-01-19T18:54:00","slug":"roaming-mantis-uses-dns-changers-to-target-users-via-compromised-public-routers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/roaming-mantis-uses-dns-changers-to-target-users-via-compromised-public-routers\/","title":{"rendered":"Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers"},"content":{"rendered":"
<\/div>\n

Woburn, MA \u2013 January 19, 2023 \u2013<\/strong> <\/span>Today <\/span>Kaspersky<\/a> <\/span>researchers <\/span>reported<\/a> <\/span>on a new domain name system (DNS) changer functionality used in the infamous Roaming Mantis campaign. Cybercriminals have demonstrated they can use compromised public Wi-Fi routers to try to infect more Android smartphones with the campaign\u2019s Wroba.o malware. Attackers used the new technique against users in South Korea, but it could be soon implemented in other countries as well. <\/span><\/p>\n

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and cryptomining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.<\/p>\n

New DNS changer functionality to attack more users via public routers<\/strong><\/p>\n

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader), the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.<\/p>\n

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router\u2019s IP address and checks the router\u2019s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country (see the Table 1). <\/span><\/p>\n

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7,000 downloads each. Germany, Turkey, Malaysia and India rounded out the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well. <\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Country<\/strong> <\/span> <\/strong><\/td>\nNumber of downloaded malicious APK<\/strong> <\/span><\/td>\n<\/tr>\n
Japan<\/td>\n24,645<\/td>\n<\/tr>\n
Austria<\/td>\n7,354<\/td>\n<\/tr>\n
France<\/td>\n7,246<\/td>\n<\/tr>\n
Germany<\/td>\n5,827<\/td>\n<\/tr>\n
South Korea<\/td>\n508<\/td>\n<\/tr>\n
Turkey<\/td>\n381<\/td>\n<\/tr>\n
Malaysia<\/td>\n154<\/td>\n<\/tr>\n
India<\/td>\n28<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022<\/em><\/p>\n

According to Kaspersky Security Network (KSN) statistics in September \u2013 December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). <\/span><\/p>\n

\u201cWhen an infected smartphone connects to \u2018healthy\u2019 routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,\u201d said Suguru Ishimaru, senior security researcher at Kaspersky. \u201cThe new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.\u201d <\/span><\/p>\n

To read the full report on newly implemented DNS changer functionality, please visit Securelist.com<\/a>.<\/p>\n

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:<\/p>\n