On 16 April, Kaspersky Lab researchers reported on a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting mainly smartphones in Asia. Four weeks on, the threat continues to evolve rapidly and has now extended its target geography to include Europe and the Middle East, adding a phishing option for iOS devices and PC crypto-mining capability.

 

The campaign, dubbed Roaming Mantis, is designed mainly to steal user information including credentials and to provide attackers with full control over the compromised device. The researchers believe a Korean or Chinese-speaking cybercriminal group looking for financial gain is behind the operation.

 

Method of attack
Kaspersky Lab’s findings indicate that the attackers behind Roaming Mantis seek out vulnerable routers for compromise, and distribute the malware through a simple yet very effective trick of hijacking the DNS settings of those infected routers. The method of router compromise remains unknown.

 

Once the DNS is successfully hijacked, any attempt by users to access any website leads them to a genuine-looking URL with forged content coming from the attackers’ server. This includes the request: “To better experience the browsing, update to the latest chrome version.” Clicking on the link initiates the installation of a Trojanized application named either ‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android backdoor.

 

The Roaming Mantis malware checks to see if the device is rooted and requests permission to be notified of any communications or browsing activity undertaken by the user. It is also capable of collecting a wide range of data, including credentials for two-factor authentication.

 

Their interest in this and the fact that some of the malware code includes references to mobile banking and game application IDs popular in South Korea suggest a possible financial motive behind this campaign.

 

Expanded target geography and features

 

Kaspersky Lab’s initial research uncovered around 150 targets, mainly in South Korea, Bangladesh, and Japan, but it also revealed thousands of connections hitting the attackers’ command & control (C2) servers on a daily basis, pointing to a far larger scale of attack. The malware included support for four languages: Korean, simplified Chinese, Japanese, and English.

 

The attack range has now been extended, supporting 27 languages in all, including Filipino, Polish, German, Arabic, Bulgarian and Russian. The attackers have also introduced a redirection to Apple-themed phishing pages if the malware encounters an iOS device.

 

The latest addition to the arsenal is a malicious website with PC crypto-mining capability. Kaspersky Lab’s observations suggest that at least one wave of wider attacks has taken place, with researchers noting over 100 targets among Kaspersky Lab customers within a few days.

 

When we first reported on Roaming Mantis in April we said that it was an active and rapidly changing threat. New evidence shows a dramatic expansion in target geography to include Europe and the Middle East, and more. We believe the attackers are cybercriminals looking for financial gain and have found a number of clues to suggest that the attackers speak either Chinese or Korean. There is clearly considerable motivation behind this threat, so it is unlikely to diminish any time soon. The use of infected routers and hijacked DNS highlights the need for robust device protection and the use of secure connections,” says Suguru Ishimaru, Security Researcher at Kaspersky Lab Japan.

 

Kaspersky Lab products detect the Roaming Mantis threat as ‘Trojan-Banker.AndroidOS.

 

In order to protect your internet connection from this infection, Kaspersky Lab recommends the following:

  • Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support.
  • Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
  •  Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
  • Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
  • Consider installing a mobile security solution, such as Kaspersky Internet Security for Android, to protect your devices from these and other threats.

 

For more information on Roaming Mantis and technical information, please read the blogpost on Securelist.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Transcend Provides a Full Range of Solutions for Upgrading Mac Computers
Techworld Date Posted: 29 November 2017 4:36 PM | 213 Views
Transcend Information, a worldwide leader in storage and multimedia products, is proud to a full range of Apple solutions for upgrading Mac computers.. See More
 
Transcend Provides a Full Range of Solutions for Upgrading Mac Computers
Techworld Date Posted: 4:36 PM | 213 Views
Transcend Information, a worldwide leader in storage and multimedia products, is proud to a full range of Apple solutions for upgrading Mac computers.See More

 
Kaspersky Lab: PH is 9th Most Attacked Online, Web Threats Hit All-Time High
Techworld Date Posted: 13 August 2018 3:38 PM | 118 Views
The Philippines is now the ninth most attacked country worldwide in terms of online threats, according to a report from cybersecurity company Kaspersky Lab.. See More
 
Kaspersky Lab: PH is 9th Most Attacked Online, Web Threats Hit All-Time High
Techworld Date Posted: 3:38 PM | 118 Views
The Philippines is now the ninth most attacked country worldwide in terms of online threats, according to a report from cybersecurity company Kaspersky Lab.See More

 
CORSAIR Announces Partnership with League of Legends Organization ROX
Techworld Date Posted: 24 August 2017 10:49 AM | 317 Views
CORSAIR�, a world leader in enthusiast memory, PC components and high-performance gaming hardware today announced its title sponsorship with ROX , a leading League of Legends eSports organization in South Korea.ROX will be the.... See More
 
CORSAIR Announces Partnership with League of Legends Organization ROX
Techworld Date Posted: 10:49 AM | 317 Views
CORSAIR�, a world leader in enthusiast memory, PC components and high-performance gaming hardware today announced its title sponsorship with ROX , a leading League of Legends eSports organization in South Korea.ROX will be the...See More

 
Dreading Wi-Fi Deadspots? Here Are 5 Quick Hacks!
Techworld Date Posted: 16 October 2018 3:31 PM | 109 Views
In a world where our favorite videos, music, and games are just right at our fingertips, files can be shared in an instant, and our loved ones are just a chat or video call.... See More
 
Dreading Wi-Fi Deadspots? Here Are 5 Quick Hacks!
Techworld Date Posted: 3:31 PM | 109 Views
In a world where our favorite videos, music, and games are just right at our fingertips, files can be shared in an instant, and our loved ones are just a chat or video call...See More

 
ShadowPad: How Attackers Hide Backdoor in Software Used by Hundreds of Large Companies around the World
Techworld Date Posted: 17 August 2017 3:12 PM | 196 Views
Kaspersky Lab experts have discovered a backdoor planted in a server management software product used by hundreds of large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules.... See More
 
ShadowPad: How Attackers Hide Backdoor in Software Used by Hundreds of Large Companies around the World
Techworld Date Posted: 3:12 PM | 196 Views
Kaspersky Lab experts have discovered a backdoor planted in a server management software product used by hundreds of large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules...See More

 
Excellent Wireless Coverage with the DAP-1860 AC2600 Wi-Fi Range Extender
Techworld Date Posted: 14 October 2017 1:44 PM | 180 Views
Manila, Philippines –Imagine listening to your favorite tunes on your phone, only to have your wireless connection cut off when you leave your bedroom right at the song’s best part. Or imagine streaming that.... See More
 
Excellent Wireless Coverage with the DAP-1860 AC2600 Wi-Fi Range Extender
Techworld Date Posted: 1:44 PM | 180 Views
Manila, Philippines –Imagine listening to your favorite tunes on your phone, only to have your wireless connection cut off when you leave your bedroom right at the song’s best part. Or imagine streaming that...See More

 
KKR-Backed Emerald Media Leads US$65 Million Series B in aCommerce to Drive Southeast Asia’s Retail and Ecommerce Ecosystem Forward
Techworld Date Posted: 20 November 2017 1:46 PM | 217 Views
Manila, 20 November 2017 - aCommerce Co. Ltd. announced today that it has closed a US$65 million Series B funding round. The company is Southeast Asia’s leading ecommerce enabler and e-distributor in four markets.... See More
 
KKR-Backed Emerald Media Leads US$65 Million Series B in aCommerce to Drive Southeast Asia’s Retail and Ecommerce Ecosystem Forward
Techworld Date Posted: 1:46 PM | 217 Views
Manila, 20 November 2017 - aCommerce Co. Ltd. announced today that it has closed a US$65 million Series B funding round. The company is Southeast Asia’s leading ecommerce enabler and e-distributor in four markets...See More

 
SAP Appoints Claus Andresen as President and Managing Director of Southeast Asia
Techworld Date Posted: 3 August 2017 2:46 PM | 215 Views
SAP (NYSE: SAP) today announced the appointment of Claus Andresen as President and Managing Director of SAP Southeast Asia, promoted from Chief Operating Officer of SAP Indian Subcontinent. Andresen will report directly to Scott.... See More
 
SAP Appoints Claus Andresen as President and Managing Director of Southeast Asia
Techworld Date Posted: 2:46 PM | 215 Views
SAP (NYSE: SAP) today announced the appointment of Claus Andresen as President and Managing Director of SAP Southeast Asia, promoted from Chief Operating Officer of SAP Indian Subcontinent. Andresen will report directly to Scott...See More

 
Bulk Messaging Malware in Facebook Messenger
Techworld Date Posted: 7 September 2017 1:42 PM | 216 Views
Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often,.... See More
 
Bulk Messaging Malware in Facebook Messenger
Techworld Date Posted: 1:42 PM | 216 Views
Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often,...See More

 
Asia and Middle East a Hotbed of New Threat Actors in Q1, 2018
Techworld Date Posted: 16 April 2018 4:28 PM | 438 Views
During the first three months of the year, Kaspersky Lab researchers discovered a wave of new APT activity based mainly in Asia – more than 30% of Q1 reports were dedicated to threat operations.... See More
 
Asia and Middle East a Hotbed of New Threat Actors in Q1, 2018
Techworld Date Posted: 4:28 PM | 438 Views
During the first three months of the year, Kaspersky Lab researchers discovered a wave of new APT activity based mainly in Asia – more than 30% of Q1 reports were dedicated to threat operations...See More


Power by

Download Free AZ | Free Wordpress Themes