Kaspersky researchers have reported a new DNS switcher function used in the Roaming Mantis operation. Roaming Mantis (also known as Shaoye) is the name of a cybercrime campaign or operation first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to manage infected Android devices and steal confidential information from the device. It is also known to have a phishing option for iOS devices and crypto mining features for PCs. The name of this campaign is due to its spread through smartphones roaming Wi-Fi networks, potentially carrying and spreading the infection.
“Public routers and new DNS changer functionality”
Kaspersky recently discovered that Roaming Mantis offers a new DNS changer functionality via the campaign malware Wroba.o (aka Agent.eq, Moqhao, XLoader). We can call DNS changer a malicious program that redirects your device connected to a compromised Wi-Fi router to another cybercriminal-controlled server instead of a legitimate DNS server. In this scenario, the potential victim is asked to download malware that can control the device or steal credentials, from the landing page they come across.
Currently, the attackers behind Roaming Mantis are only targeting routers located in South Korea and manufactured by a very popular South Korean networking equipment vendor. In December 2022, Kaspersky observed 508 malicious APK downloads in the country.
A study of malicious pages revealed that attackers were also targeting other regions using smishing instead of DNS changers. This technique uses text messages to spread links that direct the victim to a phishing site to download malware on the device or steal user information.
According to Kaspersky Security Network (KSN) statistics for September – December 2022, highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) in France (54,4%), Japan (12,1%) and the USA (10,1%).
“When an infected smartphone connects to 'healthy' routers in various public places, such as cafes, bars, libraries, hotels, shopping malls, airports and even homes, the Wroba.o malware is transmitted to this router,” said Suguru Ishimaru, Senior Security Researcher at Kaspersky. devices and may affect the devices connected to it. The new DNS changer functionality can manage almost any device selection using the compromised Wi-Fi router, such as forwarding to malicious hosts and disabling security updates. "We believe this discovery is critical to the cybersecurity of Android devices because it has the potential to spread widely in targeted regions."
To protect your internet connection from this infection, Kaspersky researchers recommend:
- Check your router's manual to verify that your DNS settings have not been tampered with, or contact your internet service provider for support.
- Change the default username and password used for your router's web interface and update the firmware regularly from the official source.
- Never install router software from third-party sources. Avoid using third party stores for your Android devices as well.
- Also, always check browser and website addresses to make sure they are safe; Remember to confirm https:// secure connection when prompted to enter data.
Be the first to comment