A recently discovered DNS hijacking campaign that was found spreading banking trojan malware to Android smartphone users largely in Asia has expanded its reach to iOS and PC users as well, while targeting speakers of 27 different languages.
Kaspersky Lab researcher Suguru Ishimaru describes the malicious redirection attack’s rapid evolution in a May 18 company blog post — a follow-up to his previous Apr. 16 report on the campaign, dubbed Roaming Mantis.
According to Ishimaru, the campaign earlier this year focused on speakers of English, Japanese, Korean, and Simplified Chinese, while concentrating attacks on locales such as Bangladesh, Japan and South Korea. (Other Asian countries like China and India were also targeted, but not as severely.) But from May 1 to May 10, Roaming Mantis went much more strongly after Russia and Ukraine. Additionally, the landing page and malicious APK used to distribute the final trojan payload can now support many new European, Asian and Middle Eastern languages.
The Kaspersky notes that in the first 10 days of May alone, 120 of its product users were affected by the threat — almost totaling the 150 unique users who were impacted between Feb. 9 and Apr. 9.
The Roaming Mantis attack infects users differently depending on what kind of machine the victim is using when he or she is redirected to the landing page.
Android users are infected with Trojan-Banker.AndroidOS.Wroba. malware via the aforementioned malicious APK package. The trojanized application typically disguises itself as a fake Chrome or Facebook update, which users are tricked into downloading via a fraudulent prompt.
After installation, the banking malware overlays legitimate windows with a message that instructs users to authenticate their accounts via a fake Google page that asks for one’s name and date of birth. It also seeks spyware-type permissions to collect account information, manage calls and texts, record audio, and more — all in an apparent attempt to compromise the device and steal the verification code for two-factor authentication, Kaspersky reports. Ishimaru’s original report also noted that the malware “contains Android application IDs for popular mobile banking and game applications in South Korea.”
In a blog post from earlier this year, Trend Micro similarly noted that the malware can use its functionality to steal personally identifiable information and financial data, install additional apps, hijack the device and establish persistent through admin privileges. Trend Micro refers to the malware as XLoader, while researchers from McAfee named the trojan as MoqHao in an August 2017 blog post linking the malware to a previous smishing campaign.
On the other hand, iOS device users who fall prey to Roaming Mantis are diverted to a phishing page with the fake domain “security.apple.com,” which attempts to steal user IDs; passwords; and payment card numbers, expiration dates and CVV numbers. And PC users are victimized in completely different fashion, as the landing page executes a malicious cryptomining script in the browser.
In its report, Trend Micro theorized that the attackers have been able to execute DNS cache poisoning/DNS spoofing attacks that overwrite the router’s DNS settings “possibly through infringement techniques such as brute-force or dictionary attacks.”
Other recent updates to the malware include its use of the email POP protocol instead of the HTML protocol to communicate with the command-and-control server; the dynamic auto-generation of APK files and file names, and the addition of a “ping” backdoor command to help identify research environments.