Thursday, March 28, 2024

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

Roaming Mantis Malware expands Geographically with many new capabilities. Initially, it targets only the Android users, now the malware authors improved their code by adding more geographies, platform support, and capabilities.

The DNS hijacking malware Dubbed Roaming Mantis designed to spread via DNS hijacking method. It redirects the users to the malicious pages and leads to download the Trojanized application spoofed Facebook or Chrome.

According to Kaspersky researchers “In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods.”

Geographical Expanded – Roaming Mantis

Now the landing page and the apk file support for 27 new languages covering Europe and the Middle East, so that the landing page and the malicious apk file will be downloaded corresponding to the device language.

Roaming Mantis

According to the Kaspersky report more than 120 users of Kaspersky Lab products were affected in the last 10 days, the most affected countries are Russia, Ukraine, and India.

Phishing Campaign iOS device & mining with PC

Now the group behind Roaming Mantis targets iOS devices as well, with a phishing site http://security[.]apple[.]com to steal the user credentials.

The domain could not be resolved with legitimate DNS as it doesn’t exist and only the rogue DNS can resolve to the domain. If the user establishes the connection via compromised router it resolves with the domains that mimicking the Apple website.

Roaming Mantis

The Phishing page supports for 25 languages and it is designed to steal user ID, password, card number, card expiration date and CVV.

Also, it inherits the web mining via a special script executed in the browser. It uses the most popular Coinhive web miner if the user connects to the landing page their CPU usage will increase terribly.

The threat actors behind Roaming Mantis have been quite active in improving their tools. To evade detection, it generates the malicious filename in real-time.

Roaming Mantis

With the recent campaign it uses email protocol instead of HTTP to retrieve C2 servers, the malware connects via POP3 to a hardcoded outlook credentials and then extracts the real C2 address using the string “abcd” as an anchor.

Researchers concluded, “The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Enterprise Networks can also Focus on DNS flood Attack to protect malware and DDoS Attacks.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles