Just five months after Kaspersky Lab’s first report on the DNS hijacking operation to infect Android smartphones in Asia, the attack dubbed ‘Roaming Mantis’ remains highly active, exploring new tricks and techniques to extend its reach.

 

Close monitoring by Kaspersky Lab experts discovered that the Roaming Mantis was attempting to web mine iOS devices used for legitimate cryptomining. The malware banked on the popular CoinHive miner, the tool it first used to infect PCs.

 

Malicious cryptocurrency mining refers to hackers infecting a cryptomining platform to mine cryptocurrency from unaware victims.

 

“In our first report, we warned that Roaming Mantis is clearly designed to attack and reach more users. True to its name, it has been extending its malicious arms rapidly since April, in terms of its location and attack and evasion methods. From infecting Android devices, it engaged in phishing activities and is now trying to mine iOS gadgets used for cryptomining. From the initial four languages in Asia, this malware is now using a further 27, covering Europe and the Middle East. We are pretty much looking at cybercriminals who show no traces of stopping anytime soon,” warns Suguru Ishimaru, security researcher at Kaspersky Lab’s Global Research and Analysis Team (GReAT) Asia Pacific.

 

Researchers also noticed that the hackers have adopted a trial and error approach to test which technique would get them more money faster. For instance, the attacker modified the infected landing page of the malware, alternately using an Apple phishing site and a web coin-mining page.

 

Roaming Mantis has also boosted its attack and evasion tools. The group initially hijacked DNS systems of rogue Wi-Fi routers to infect Android users in Japan, Korea, India, and Bangladesh with Trojanized applications named facebook.apk and chrome.apk.

 

The latest updates reveal that facebook.apk has been changed to sagawa.apk and has been spread via a rented SMS message spoofing delivery service. This technique was first used last year by another cybergang.

 

Kaspersky Lab also uncovered that the attacker spreads its malware via Prezi, cloud-based presentation software that allows free user accounts, making it harder for security products to detect phishing or malicious activities as this site is considered legitimate. In addition, the redirected SCAM content shows that Roaming Mantis uses templates, which suggests that Prezi is an established delivery system for malicious content, too.

 

Aside from the updated tools and techniques, researchers at Kaspersky Lab spotted careless mistakes committed by the hacking group as they try to dabble in additional types of attacks as fast as possible.

 

Roaming Mantis, also known as MoqHao and XLoader, was launched in four languages and in two months quickly added two dozen more, including Asian languages — Bengali, both traditional and simplified Chinese, Hindi, Indonesian, Japanese, Korean, Malay, Filipino, Thai, and Vietnamese.

 

After this update, researchers detected mixed-ups in the language environment. For instance, Japanese users will get a pop-up message written in Korean.

 

The group also used HTML instead of URL to redirect users to their malicious content, contrary to how Prezi as a delivery system really works. As a result, the tweaked landing page was not able to infect its target victims.

 

“The intense financial motivation of this group is undoubtedly fueling it to try different attack and evasion tricks to widen its reach in a short period of time. In its haste to jump on different platforms, languages, and territories, Roaming Mantis is leaving crumbs of clues that guide us in understanding and predicting its next moves. While this group seems rich in manpower, time, and resources, Kaspersky Lab researchers tracking the minutest details will continue to dig up further forensic information to keep track of their movements,” adds Ishimaru.

 

To protect your devices against Roaming Mantis attacks, Kaspersky Lab suggests users do the following:

  • Check your router’s settings
  • Change the default login and password for admin of your devices, especially when used in cryptomining
  • Use robust security solutions for all your devices
  • Do not allow “Install unknown apps”

 

 

Kaspersky Lab security solutions detect malware used by Roaming Mantis as HEUR: Trojan-Banker and AndroidOS.Wroba.e and HEUR: Trojan-Banker and AndroidOS.Wroba.al.


RECOMMENDED ARTICLE FOR TECHWORLD


 
DJI Introduces Customer Loyalty Program for Ronin 3-Axis Stabilized Handheld Gimbal System
Techworld Date Posted: 18 September 2017 10:10 AM | 212 Views
DJI, the world's leader in creative camera technology, today announced a global customer loyalty program, rewarding long-time creative professionals who use its Ronin three-axis camera stabilizer and are ready to take their camera operating.... See More
 
DJI Introduces Customer Loyalty Program for Ronin 3-Axis Stabilized Handheld Gimbal System
Techworld Date Posted: 10:10 AM | 212 Views
DJI, the world's leader in creative camera technology, today announced a global customer loyalty program, rewarding long-time creative professionals who use its Ronin three-axis camera stabilizer and are ready to take their camera operating...See More

 
Epson Launches First 12,000 Lumen Native 4K 3LCD Laser Projector and New 20,000 Lumen Projector
Techworld Date Posted: 9 January 2019 5:02 PM | 86 Views
Epson, the number-one selling projector brand, has announced the launch of two new 3LCD laser projectors – The EB-L12000Q, which is the industry’s first 12,000 lumen native 4K 3LCD laser projector. See More
 
Epson Launches First 12,000 Lumen Native 4K 3LCD Laser Projector and New 20,000 Lumen Projector
Techworld Date Posted: 5:02 PM | 86 Views
Epson, the number-one selling projector brand, has announced the launch of two new 3LCD laser projectors – The EB-L12000Q, which is the industry’s first 12,000 lumen native 4K 3LCD laser projectorSee More

 
Get Free Globe Home Wi-Fi with Every Purchase of Selected Lenovo Devices
Techworld Date Posted: 26 September 2018 3:55 PM | 156 Views
As we gear up for the holidays, leading PC developer Lenovo and leading telecommunications provider Globe Telecom team up for an always-connected “Ber” season in a promo.. See More
 
Get Free Globe Home Wi-Fi with Every Purchase of Selected Lenovo Devices
Techworld Date Posted: 3:55 PM | 156 Views
As we gear up for the holidays, leading PC developer Lenovo and leading telecommunications provider Globe Telecom team up for an always-connected “Ber” season in a promo.See More

 
Transcend Releases Fast, Stylish StoreJet 600 for Mac
Techworld Date Posted: 27 September 2017 4:59 PM | 204 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce the release of the StoreJet 600 for Mac. Housed in a stunning metallic casing, this light and durable StoreJet.... See More
 
Transcend Releases Fast, Stylish StoreJet 600 for Mac
Techworld Date Posted: 4:59 PM | 204 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce the release of the StoreJet 600 for Mac. Housed in a stunning metallic casing, this light and durable StoreJet...See More

 
HPE Aruba Gives Small Businesses Simplified, Business-class Wi-Fi with the Ease of a Mobile App
Techworld Date Posted: 2 October 2017 8:43 AM | 223 Views
Aruba, a Hewlett Packard Enterprise company, today announced a new Wi-Fi solution designed to give small businesses secure and reliable business-grade Wi-Fi with easy to set-up APs and an intuitive mobile app. The HPE.... See More
 
HPE Aruba Gives Small Businesses Simplified, Business-class Wi-Fi with the Ease of a Mobile App
Techworld Date Posted: 8:43 AM | 223 Views
Aruba, a Hewlett Packard Enterprise company, today announced a new Wi-Fi solution designed to give small businesses secure and reliable business-grade Wi-Fi with easy to set-up APs and an intuitive mobile app. The HPE...See More

 
HyperX Ships 60 Million Memory Modules
Techworld Date Posted: 23 October 2018 10:31 AM | 99 Views
HyperX, the gaming division of Kingston Technology Company, Inc. has announced that since its inception in 2002, it has shipped over 60 million memory modules, which is equivalent to billions of bytes of memory.. See More
 
HyperX Ships 60 Million Memory Modules
Techworld Date Posted: 10:31 AM | 99 Views
HyperX, the gaming division of Kingston Technology Company, Inc. has announced that since its inception in 2002, it has shipped over 60 million memory modules, which is equivalent to billions of bytes of memory.See More

 
PLDT, Smart Kick Off ‘Road to Nationals’ Open eSports Tournament
Techworld Date Posted: 7 August 2018 4:39 PM | 139 Views
  Leading telco and digital services provider, PLDT Inc. and its wireless arm Smart Communications, Inc. have kicked off the Road to Nationals, a nationwide multi-game grassroots tournament in search of the best eSports.... See More
 
PLDT, Smart Kick Off ‘Road to Nationals’ Open eSports Tournament
Techworld Date Posted: 4:39 PM | 139 Views
  Leading telco and digital services provider, PLDT Inc. and its wireless arm Smart Communications, Inc. have kicked off the Road to Nationals, a nationwide multi-game grassroots tournament in search of the best eSports...See More

transcend
PC Buyers Guide
Meet Transcend at Perfectshot SM North Edsa to Get Free Gifts and Join the Lucky Draw
Techworld • By: PC Buyers Guide | Date Posted: 21 November 2018 10:51 AM | 99 Views
Get ready for the biggest camera SALE and have fun with Transcend! Visit the PerfectShot at SM City North Edsa (Upper Ground Floor, Centermall near SM Dept. Store) from November 22 to 28, 2018.... See More
PC Buyers Guide
transcend
Meet Transcend at Perfectshot SM North Edsa to Get Free Gifts and Join the Lucky Draw
Techworld • By: PC Buyers Guide | Date Posted: 10:51 AM | 99 Views
Get ready for the biggest camera SALE and have fun with Transcend! Visit the PerfectShot at SM City North Edsa (Upper Ground Floor, Centermall near SM Dept. Store) from November 22 to 28, 2018...See More

 
Intensified Financial Hunting by Lazarus Group Marked by Fake Supply Chain Attacks, MacOS Malware
Techworld Date Posted: 28 September 2018 4:04 PM | 195 Views
Kaspersky Lab reveals today that heightened cyberheist activity by the notorious Lazarus group will give rise to more fake supply chain attacks to deliver ever stealthier infections. The cybergang has also been discovered to.... See More
 
Intensified Financial Hunting by Lazarus Group Marked by Fake Supply Chain Attacks, MacOS Malware
Techworld Date Posted: 4:04 PM | 195 Views
Kaspersky Lab reveals today that heightened cyberheist activity by the notorious Lazarus group will give rise to more fake supply chain attacks to deliver ever stealthier infections. The cybergang has also been discovered to...See More

 
PH’s Biggest Telcos Converge, Unveil First PLDT-Smart Store in BGC
Techworld Date Posted: 27 April 2018 3:22 PM | 395 Views
Manila, Philippines – The country’s leaders in broadband, mobile and digital entertainment are now in one home. PLDT and Smart formally unveiled the first ever PLDT-Smart Store—a one-stop digital hub and converged store which.... See More
 
PH’s Biggest Telcos Converge, Unveil First PLDT-Smart Store in BGC
Techworld Date Posted: 3:22 PM | 395 Views
Manila, Philippines – The country’s leaders in broadband, mobile and digital entertainment are now in one home. PLDT and Smart formally unveiled the first ever PLDT-Smart Store—a one-stop digital hub and converged store which...See More


Power by

Download Free AZ | Free Wordpress Themes