Roaming Mantis uses DNS changers to target users via compromised public routers
On January 19, Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the Roaming Mantis campaign. Now cybercriminals can use compromised Wi-Fi routers in cafes, airports hotels and other public places to potentially infect more Android smartphones with the Wroba.o malware. At the moment, the new technique targets users in South Korea, but it can be soon implemented in other countries as well.
Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and crypto-mining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.
New DNS changer functionality to attack more users via public routers
Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader) – the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.
At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APKs downloads in the country (see the Table 1).
An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25 000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7000 downloads each. Germany, Turkey, Malaysia and India rounded the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well.
| Country | Number of downloaded malicious APK |
| Japan | 24645 |
| Austria | 7354 |
| France | 7246 |
| Germany | 5827 |
| South Korea | 508 |
| Turkey | 381 |
| Malaysia | 154 |
| India | 28 |
Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022
According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%).
“When an infected smartphone connects to “healthy” routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well. The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions”, says Suguru Ishimaru, Senior Security Researcher at Kaspersky.
To read the full report on newly implemented DNS changer functionality, please visit Securelist.com.
In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:
- Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
- Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
- Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
- Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
- Consider installing a mobile security solution, such as special security solution, to protect your devices from these and other threats.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Roaming Mantis uses DNS changers to target users via compromised public routers
Kaspersky
Related Articles Press Releases
Kaspersky Thin Client 2.0: Cyber Immune protection with enhanced connectivity, performance and design
Kaspersky has presented an updated operating system for thin clients that offers enhanced connectivity, higher speed of applications delivery, lower total cost of ownership, user-friendly graphical interface and quick deployment. Kaspersky Thin Client 2.0 is the main component of the Cyber Immune solution for building thin client infrastructure in a wide range of industries, including healthcare, finance, education and manufacturing.Read More >New DuneQuixote cyberespionage campaign targets governmental entities worldwide
Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.Read More >Kaspersky Extended Detection and Response now available for implementation into business infrastructures
Kaspersky has announced that its new solution, Kaspersky Extended Detection and Response (XDR), is now available to customers after a successful evaluation phase with early adopters in a test environment. Companies can now seamlessly integrate this advanced product into their infrastructure under its new name, ‘Kaspersky Next XDR Expert’.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.