Wednesday, June 19, 2024

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

Roaming Mantis Malware expands Geographically with many new capabilities. Initially, it targets only the Android users, now the malware authors improved their code by adding more geographies, platform support, and capabilities.

The DNS hijacking malware Dubbed Roaming Mantis designed to spread via DNS hijacking method. It redirects the users to the malicious pages and leads to download the Trojanized application spoofed Facebook or Chrome.

According to Kaspersky researchers “In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods.”

Geographical Expanded – Roaming Mantis

Now the landing page and the apk file support for 27 new languages covering Europe and the Middle East, so that the landing page and the malicious apk file will be downloaded corresponding to the device language.

Roaming Mantis

According to the Kaspersky report more than 120 users of Kaspersky Lab products were affected in the last 10 days, the most affected countries are Russia, Ukraine, and India.

Phishing Campaign iOS device & mining with PC

Now the group behind Roaming Mantis targets iOS devices as well, with a phishing site http://security[.]apple[.]com to steal the user credentials.

The domain could not be resolved with legitimate DNS as it doesn’t exist and only the rogue DNS can resolve to the domain. If the user establishes the connection via compromised router it resolves with the domains that mimicking the Apple website.

Roaming Mantis

The Phishing page supports for 25 languages and it is designed to steal user ID, password, card number, card expiration date and CVV.

Also, it inherits the web mining via a special script executed in the browser. It uses the most popular Coinhive web miner if the user connects to the landing page their CPU usage will increase terribly.

The threat actors behind Roaming Mantis have been quite active in improving their tools. To evade detection, it generates the malicious filename in real-time.

Roaming Mantis

With the recent campaign it uses email protocol instead of HTTP to retrieve C2 servers, the malware connects via POP3 to a hardcoded outlook credentials and then extracts the real C2 address using the string “abcd” as an anchor.

Researchers concluded, “The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Enterprise Networks can also Focus on DNS flood Attack to protect malware and DDoS Attacks.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles