Search

Roaming Mantis Attacks, Phishing, and Identity Theft

April 5, 2023
Blog

4 min read

Roaming Mantis Attacks, Phishing, and Identity Theft

One important part of Novatech’s business plan is to give clients the useful information they need, especially about information security. We often find that showing our clients how cybercrime groups and bad actors work helps them realize how important cybersecurity has become as a business process. In this spirit, let’s look at a problem that started as Android malware and has since grown into an advanced persistent threat (APT).

 

The ID Theft Ring of Roaming Mantis

In 2018, Kaspersky researchers gave the name “Roaming Mantis” to both a Chinese cybercrime group and an APT campaign. At first, the threat was a domain name system (DNS) hijacker that sent users of Android smartphones and tablets to malicious websites where they could download fake versions of popular apps like Facebook and Google Maps. The purpose of the malicious redirection was to get user names and passwords from people who didn’t know what was going on.

When Roaming Mantis first went after Android users, a malicious Android program kit (APK) installation was used to steal their identities and login credentials. The APK tried to look like a real mobile app. Attackers used stolen Facebook and Google login information to find out more and get into online banking accounts, employee portals, health records, and other sensitive websites. This APT has gotten smarter over time, and now it targets vulnerable WiFi router models to spread malware across networks, making it spread like a computer virus.

 

Roaming Mantis: How It Works

Researchers in information security who had been watching how Roaming Mantis changed noticed a huge attack on smartphone users with French phone numbers in June 2022. The attack started with a phishing text that looks like it came from a package delivery service like DHL or Mondial Relay. SMS spoofing made the message look like it was real, and it told the recipient to click a link to track a package.

When Android users went to the supposed tracking page, they were taken to a bad website where they were tricked into installing an APK that contained malware. When people used an iPhone or iPad, they were taken to a mobile website that looked like an iCloud login page. If the APK install went well, Roaming Mantis would make an HTTP routine to discover the model and firmware of all the WiFi routers the infected device connects to. The malware code changes the DNS settings of vulnerable routers so that users are sent to more malicious websites that steal user credentials.

The Roaming Mantis APK also has malicious code called MoqHao, which is also known as XLoader or Wroba. This code connects hijacked routers to command and control centers so that more information can be gathered and infected devices can be added to a botnet. Once the malware has gotten into vulnerable routers, it keeps an eye on them to see if their network settings have changed. When the malware finds an update, it changes its code to include the new configuration details so that it can’t be found. The infected device doesn’t know about the bad things happening because the APK doesn’t load new code by itself. It only does so when the device is connected to the Internet. All of these things make Roaming Mantis a very dangerous APT.

 

How to Take Care of Roaming Mantis and Other APTs

Roaming Mantis stole usernames and passwords, which can be used for everything from data theft to ransomware to credit card fraud to breaking into a network. This is just one of the thousands of APTs that are in the process of spreading right now. Losses from cybercrime in the US for 2022 were estimated to be over $10 billion, and APTs were responsible for a big chunk of those losses.

Several steps must be taken to keep APTs from getting into data networks. Since we know that the MoqHao malware targets certain WiFi routers, the first step is to make sure that the devices are patched or, if necessary, replaced. We also know that the Roaming Mantis cybercrime group uses SMS spoofing, so a business organization would need to go through phishing awareness training to avoid being attacked.

To find and stop APTs, it goes without saying that office data networks, whether they are in the cloud or on-premise, need to be actively monitored. Smart solutions like Managed Cybersecurity by Novatech give business owners peace of mind because they monitor network activity around the clock. These solutions also have automated response routines that can stop cyber attacks in progress or start mitigating them on the spot.

Ultimately, securing your network is not a part-time affair. This is why you need a company like Novatech, who can help your company get the protection and warnings it needs to keep its data safe. We have network engineers who are able to help answer questions you may have about attacks like the Roaming Mantis Attacks.

Contact us to learn more.

Written By: Sr. Editor