Friday, March 29, 2024

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

Roaming Mantis Malware expands Geographically with many new capabilities. Initially, it targets only the Android users, now the malware authors improved their code by adding more geographies, platform support, and capabilities.

The DNS hijacking malware Dubbed Roaming Mantis designed to spread via DNS hijacking method. It redirects the users to the malicious pages and leads to download the Trojanized application spoofed Facebook or Chrome.

According to Kaspersky researchers “In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods.”

Geographical Expanded – Roaming Mantis

Now the landing page and the apk file support for 27 new languages covering Europe and the Middle East, so that the landing page and the malicious apk file will be downloaded corresponding to the device language.

Roaming Mantis

According to the Kaspersky report more than 120 users of Kaspersky Lab products were affected in the last 10 days, the most affected countries are Russia, Ukraine, and India.

Phishing Campaign iOS device & mining with PC

Now the group behind Roaming Mantis targets iOS devices as well, with a phishing site http://security[.]apple[.]com to steal the user credentials.

The domain could not be resolved with legitimate DNS as it doesn’t exist and only the rogue DNS can resolve to the domain. If the user establishes the connection via compromised router it resolves with the domains that mimicking the Apple website.

Roaming Mantis

The Phishing page supports for 25 languages and it is designed to steal user ID, password, card number, card expiration date and CVV.

Also, it inherits the web mining via a special script executed in the browser. It uses the most popular Coinhive web miner if the user connects to the landing page their CPU usage will increase terribly.

The threat actors behind Roaming Mantis have been quite active in improving their tools. To evade detection, it generates the malicious filename in real-time.

Roaming Mantis

With the recent campaign it uses email protocol instead of HTTP to retrieve C2 servers, the malware connects via POP3 to a hardcoded outlook credentials and then extracts the real C2 address using the string “abcd” as an anchor.

Researchers concluded, “The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Enterprise Networks can also Focus on DNS flood Attack to protect malware and DDoS Attacks.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles