Woburn, MA – January 19, 2023 – Today Kaspersky researchers reported on a brand new area title system (DNS) changer performance used within the notorious Roaming Mantis marketing campaign. Cybercriminals have demonstrated they will use compromised public Wi-Fi routers to attempt to infect extra Android smartphones with the marketing campaign’s Wroba.o malware. Attackers used the brand new approach in opposition to customers in South Korea, but it surely may very well be quickly carried out in different nations as effectively.
Roaming Mantis (a.okay.a Shaoye) is a cybercriminal marketing campaign first noticed by Kaspersky in 2018. It makes use of malicious Android package deal (APK) recordsdata to manage contaminated Android units and steal gadget info. It additionally has a phishing possibility for iOS units and cryptomining capabilities for PCs. The title of the marketing campaign relies on its propagation by way of smartphones roaming between Wi-Fi networks, doubtlessly carrying and spreading the an infection.
New DNS changer performance to assault extra customers by way of public routers
Kaspersky found that Roaming Mantis just lately launched a website title system (DNS) changer performance in Wroba.o (a.okay.a Agent.eq, Moqhao, XLoader), the malware that was primarily used within the marketing campaign. DNS changer is a computer virus that directs the gadget linked to a compromised Wi-Fi router to a server underneath the management of cybercriminals as an alternative of a reliable DNS server. On the malicious touchdown web page, the potential sufferer is prompted to obtain malware that may management the gadget or steal credentials.
At the second, the risk actor behind Roaming Mantis is completely focusing on routers positioned in South Korea and manufactured by a extremely popular South Korean community tools vendor. To establish them, the brand new DNS changer performance will get the router’s IP tackle and checks the router’s mannequin, compromising focused ones by overwriting the DNS settings. In December 2022, Kaspersky noticed 508 malicious APK downloads within the nation (see the Table 1).
An investigation of malicious touchdown pages discovered that attackers are additionally focusing on different areas utilizing smishing as an alternative of DNS changers. This approach employs textual content messages to unfold malicious hyperlinks that direct the sufferer to a malicious website to obtain malware onto the gadget or steal consumer data by way of a phishing web site. Japan topped the listing of focused nations with practically 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France adopted with roughly 7,000 downloads every. Germany, Turkey, Malaysia and India rounded out the listing. Kaspersky researchers predict that the perpetrators could quickly replace the DNS changer operate to focus on Wi-Fi routers in these areas as effectively.
| Country | Number of downloaded malicious APK |
| Japan | 24,645 |
| Austria | 7,354 |
| France | 7,246 |
| Germany | 5,827 |
| South Korea | 508 |
| Turkey | 381 |
| Malaysia | 154 |
| India | 28 |
Table 1. The variety of malicious APK downloads per nation based mostly on investigation of malicious touchdown pages created inside Roaming Mantis marketing campaign, the primary half of December 2022
According to Kaspersky Security Network (KSN) statistics in September – December 2022, the very best detection price of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%).
“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” mentioned Suguru Ishimaru, senior safety researcher at Kaspersky. “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.”
To learn the complete report on newly carried out DNS changer performance, please go to Securelist.com.
In order to guard your web connection from this an infection, Kaspersky researchers advocate the next:
- Refer to your router’s consumer handbook to confirm that your DNS settings haven’t been tampered with or contact your ISP for help.
- Change the default login and password for the admin net interface of the router and usually replace your router’s firmware from the official supply.
- Never set up router firmware from third celebration sources. Avoid utilizing third-party repositories in your Android units.
- Further, all the time verify browser and web site addresses to make sure they’re reliable; search for indicators corresponding to https when requested to enter information.
- Consider putting in a cellular safety answer, corresponding to Kaspersky, to guard your units from these and different threats.
About Kaspersky
Kaspersky is a worldwide cybersecurity and digital privateness firm based in 1997. Kaspersky’s deep risk intelligence and safety experience is consistently remodeling into progressive safety options and providers to guard companies, essential infrastructure, governments and customers across the globe. The firm’s complete safety portfolio contains main endpoint safety and a lot of specialised safety options and providers to battle refined and evolving digital threats. Over 400 million customers are protected by Kaspersky applied sciences and we assist 240,000 company purchasers shield what issues most to them. Learn extra at usa.kaspersky.com.