Posted on July 26, 2022 at 12:01 PM
Researchers Warn Android Users Of Roaming Mantis Malware Group
The Roaming Mantis group has been targeting thousands of users across several countries, including the UK, the US, Taiwan, Japan, and Germany. The group’s attacking medium is to deploy malware across iOS and Android. The group has been spreading its attack across several European countries and has been active since February this year.
The mobile threat campaign has now been connected to a wide range of hacking activities directed at French mobile phone users. This is coming months after the group expanded its targets to European countries.
According to reports, more than 70,000 Android devices have been compromised by the group, as part of its active malware operation.
The Group Has Financial Motivation
In a report published by Sekoia, Roaming Mantis is a Chinese threat group with financial motivations, just like other ransomware groups.
The group is known for redirecting iPhone users to malware-infested sites or deploying a piece of banking Trojan named MoqHao, also called XLoader. Additionally, the group can send users to credential harvesting landing pages that act like the iCloud login page. These are all means of stealing information and planting malware in the target’s Android or iOS device.
As an Android remote access Trojan (RAT), MoqHao has backdoor and information-stealing capabilities that can spread malware through SMS, according to Sekoia researchers.
The group starts the attack via a phishing method known as smishing. In this method, the hackers lure users using package delivery-themed messages that contain rogue links. Once the target clicks on the link, the malware downloading process is triggered. However, the malware checks whether the victim is within French borders before continuing with the download.
If the victim is based outside France and their device is neither iOS nor Android, the server responds with a “404 not found” status. The new app has been designed to target specific users based in France.
The Malware Steals iCloud Credentials
The phishing campaign has been described as geofenced, with the malware designed to steal Apple iCloud credentials or install Android malware, according to the researchers.
Generally, MoqHao utilizes domains generated via the dynamics DNS service Duck DNS for its first-stage delivery infrastructure. Additionally, the app can front as the Chrome web browser app to deceive users and gain access for its invasions.
With these privileges, the spyware Trojan can provide a route for remote interaction with the compromised device. This allows the adversary to mount a strong attacking capability, harvesting sensitive data in the process. The malware is capable of harvesting details such as SMS messages, call history, contact lists, and iCloud data, among others.
The researchers also noted that the hackers could use the stolen data to carry out their extortion schemes. Alternatively, they can be sold on the dark net for other hackers to carry out further phishing or identity theft with the information. Sekoia added that over 90,000 unique IP addresses have requested the C2 server that distributes MoqHao. Many more are interested in the malware and more hackers could flood the internet with various forms of attack using the info-stealing malware.
However, it’s not clear how many iOS users have fallen victim to the attack and handed their Apple iCloud credentials unknowingly. The malware is using a different approach and is targeting users based in France.
The Group Is Targeting France-based Users
The operational pattern of the group over the past months shows that they usually concentrate on a particular country for some time before moving n to targets n another country. This time, they are looking to compromise France users, and will likely move on to other targets in other countries after exploiting users n France.
However, the researchers have reported that Roaming Mantis has not changed its infrastructure much since its operation was first discovered in April last year.
The servers still have open ports at TCP/47001, TCP/10081, TCP/5985, and TCP/443 while the same certificates seen in April are still being used.
Domains utilized in SMS messages either use dynamic DNS services like duckdns.org or are registered with Godaddy. The infiltration and the group utilize more than 100 subdomains as well as dozens of FQDN on each IP address.
Additionally, the smishing operation has been known to utilize separate C2 servers from the ones used by XLoader. The researchers discovered nine of them hosted on VELIANET and EHOSTIDC Autonomous Systems.