skip to Main Content

New Roaming Mantis campaign targets mobile via advanced phishing

New Roaming Mantis Campaign Targets Mobile Via Advanced Phishing

Kaspersky: Cybercrime is targeting mobile with a new Roaming Mantis campaign: iOS users are redirected to malicious landing pages. Android ones are threatened by a new variant of sagawa.apk Type A malware

Cybercrime is attempting to compromise mobile devices via advanced phishing campaign, to redirect iOS users to download malicious APP (APK). The final goal is to collect sensitive information and drop the malware. Cyber security researchers believe that the attack belongs to Roaming Mantis campaign, that uses DNS hijacking attack to hack Android smartphones. The current cyber attacks just carry updates on their tools and tactics. Kaspersky experts detected new variants of sagawa.apk Type A (aka MoqHao and XLoader). It spreads mostly in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam, and earlier was distributed via SMS in Japan. This wave is characterized by a new method with malicious mobile config, although the DNS manipulation is also still actively used. It’s particularly dangerous, as the profile could configure the device to use a malicious proxy or VPN, effectively allowing the bad actor to monitor everything in the targeted device.

The cyber security experts: cybercrime on landing pages force iOS users to download a malicious iOS mobile config installation, in order to steal data. Furthermore, on the Android side, the threat actors compromised WiFi routers to overwrite DNS settings and updated a couple of settings

According to GBHackers on Security, in order to compromise iOS devices and collect the data, attackers let iPhone user visit new landing page where he’s forced to download a malicious iOS mobile config installation. After the installation process, users redirect into the phishing site that automatically opens in a web browser and collected information from the device will be sent to the cybercrime’s server. Once victims enter their credentials then it redirects to the next page, which tried to steal the two-factor authentication code (PIN) sent to the device. Moreover, the new malware-dropper decryption function has been altered slightly, probably to evade detection by cyber security products and researchers. Furthermore, the threat actors compromised WiFi routers to overwrite DNS settings and updated two features as well to compromise Android devices: Decryption algorithm for encrypted payload in Trojan-Dropper module and Stored destination and accounts for getting real C2.

Back To Top