Woburn, MA – January 19, 2023 – Right this moment Kaspersky researchers reported on a brand new area identify system (DNS) changer performance used within the notorious Roaming Mantis marketing campaign. Cybercriminals have demonstrated they will use compromised public Wi-Fi routers to attempt to infect extra Android smartphones with the marketing campaign’s Wroba.o malware. Attackers used the brand new approach towards customers in South Korea, but it surely may very well be quickly applied in different nations as properly.
Roaming Mantis (a.ok.a Shaoye) is a cybercriminal marketing campaign first noticed by Kaspersky in 2018. It makes use of malicious Android bundle (APK) information to manage contaminated Android units and steal system info. It additionally has a phishing choice for iOS units and cryptomining capabilities for PCs. The identify of the marketing campaign is predicated on its propagation through smartphones roaming between Wi-Fi networks, probably carrying and spreading the an infection.
New DNS changer performance to assault extra customers through public routers
Kaspersky found that Roaming Mantis just lately launched a website identify system (DNS) changer performance in Wroba.o (a.ok.a Agent.eq, Moqhao, XLoader), the malware that was primarily used within the marketing campaign. DNS changer is a trojan horse that directs the system linked to a compromised Wi-Fi router to a server below the management of cybercriminals as an alternative of a professional DNS server. On the malicious touchdown web page, the potential sufferer is prompted to obtain malware that may management the system or steal credentials.
In the intervening time, the risk actor behind Roaming Mantis is solely focusing on routers situated in South Korea and manufactured by a very talked-about South Korean community gear vendor. To determine them, the brand new DNS changer performance will get the router’s IP tackle and checks the router’s mannequin, compromising focused ones by overwriting the DNS settings. In December 2022, Kaspersky noticed 508 malicious APK downloads within the nation (see the Desk 1).
An investigation of malicious touchdown pages discovered that attackers are additionally focusing on different areas utilizing smishing as an alternative of DNS changers. This system employs textual content messages to unfold malicious hyperlinks that direct the sufferer to a malicious web site to obtain malware onto the system or steal consumer data through a phishing web site. Japan topped the checklist of focused nations with practically 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France adopted with roughly 7,000 downloads every. Germany, Turkey, Malaysia and India rounded out the checklist. Kaspersky researchers predict that the perpetrators might quickly replace the DNS changer operate to focus on Wi-Fi routers in these areas as properly.
| Nation | Variety of downloaded malicious APK |
| Japan | 24,645 |
| Austria | 7,354 |
| France | 7,246 |
| Germany | 5,827 |
| South Korea | 508 |
| Turkey | 381 |
| Malaysia | 154 |
| India | 28 |
Desk 1. The variety of malicious APK downloads per nation primarily based on investigation of malicious touchdown pages created inside Roaming Mantis marketing campaign, the primary half of December 2022
Based on Kaspersky Safety Community (KSN) statistics in September – December 2022, the very best detection fee of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%).
“When an contaminated smartphone connects to ‘wholesome’ routers in numerous public locations like cafes, bars, libraries, inns, purchasing malls, airports, and even houses, Wroba.o malware can compromise these routers and have an effect on different linked units as properly,” mentioned Suguru Ishimaru, senior safety researcher at Kaspersky. “The brand new DNS changer performance can handle all system communications utilizing the compromised Wi-Fi router, resembling redirecting to malicious hosts and disabling updates of safety merchandise. We imagine that this discovery is extremely vital for the cybersecurity of Android units as a result of it’s able to being extensively unfold within the focused areas.”
To learn the complete report on newly applied DNS changer performance, please go to Securelist.com.
So as to shield your web connection from this an infection, Kaspersky researchers suggest the next:
- Seek advice from your router’s consumer guide to confirm that your DNS settings haven’t been tampered with or contact your ISP for help.
- Change the default login and password for the admin net interface of the router and often replace your router’s firmware from the official supply.
- By no means set up router firmware from third get together sources. Keep away from utilizing third-party repositories in your Android units.
- Additional, all the time test browser and web site addresses to make sure they’re professional; search for indicators resembling https when requested to enter information.
- Contemplate putting in a cellular safety resolution, resembling Kaspersky, to guard your units from these and different threats.
About Kaspersky
Kaspersky is a world cybersecurity and digital privateness firm based in 1997. Kaspersky’s deep risk intelligence and safety experience is continually remodeling into progressive safety options and companies to guard companies, vital infrastructure, governments and customers across the globe. The corporate’s complete safety portfolio contains main endpoint safety and a variety of specialised safety options and companies to battle subtle and evolving digital threats. Over 400 million customers are protected by Kaspersky applied sciences and we assist 240,000 company purchasers shield what issues most to them. Study extra at usa.kaspersky.com.
