Back in April, Kaspersky Lab reported on an Android malware entitled “Roaming Mantis.” Roaming Mantis performed DNS hijacking as its main method of infection with the result being, most notably, installation en masse of a powerful banking Trojan via redirection to a landing page. Recently the Roaming Mantis malware has been exhibiting signs of an upgraded focus and reach in terms of what it attacks, as well as where it attacks.
As a new SecureList report shows, joint research performed by Kaspersky Lab, McAfee, and TrendMicro has revealed the alarming rate at which Roaming Mantis is gaining strength. Firstly, the malware originally targeted Asia (especially East Asia and South Asia), but the malware is going global with roughly 27 languages being “hardcoded in the HTML source of the landing page” that tricks users into downloading malicious apk files. It is not uncommon for malware to go global, but a 27 language increase (thus expanding beyond Asia by targeting Europe and the MENA region) in just one month shows serious initiative.
The research teams at the aforementioned organizations also discovered Roaming Mantis’ attacks have broadened and its evasive maneuvers have improved. The malware is not just targeting the Android OS anymore but has expanded to both the Apple iOS and PCs. In the case of iOS, the attackers behind the Roaming Mantis malware have created a phishing page with the intention of stealing user credentials.
The report describes the attack mechanics as follows:
When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’... A legitimate DNS server wouldn’t be able to resolve a domain name like that because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155.
As for the PC, the main addition to Roaming Mantis’ attack is cryptomining through the browser. Once a PC user connects to the designated landing page, Roaming Mantis will utilize the CoinHive script to begin the process. As for evasive maneuvers, according to the SecureList post, the malware has been improved so that it does the following to avoid detection:
The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.
Security researchers will continue to monitor Roaming Mantis and its attacks.
Featured image: Flickr / Daiju Azuma