Malware campaign expands to add cryptocurrency mining and iOS phishing attacks

The group behind the DNS-hijacking attacks have moved on from just targeting Android and are probably well-funded warn researchers.
Written by Danny Palmer, Senior Writer

A rapidly evolving information-stealing malware campaign has added iOS device phishing and cryptocurrency mining to its arsenal, having previously just focused on Android targets.

Dubbed Roaming Mantis, the initial attacks mostly targeted South East Asia, but now the malware has been updated with the capability to specifically target users across Europe and the Middle East.

Those behind the criminal operation have even expanded attacks to cater for 27 different languages -- including English, Spanish, Hebrew, Chinese, Russian and Hindi -- in order to help coordinate successful infections. The additional languages have been added via an automatic translator.

The new tactics of Roaming Mantis have been detailed by researchers at security company Kaspersky Lab, who also examined the previous campaign. "The Roaming Mantis campaign evolved significantly in a short period of time," said Kaspersky researcher Suguru Ishimaru.

Roaming Mantis attacks spread via DNS hijacking, with users who attempt to access any website via a compromised router redirected to rogue sites. The language of the rogue landing page is set to correspond with the language settings of the device, choosing one of the 27 available -- up from the original five.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

On this page, a pop-up urges the user to download a file -- named 'facebook.apk' or 'chrome.apk' -- which distributes the malicious payload. These malicious apk files have also been expanded to support 27 languages, although researchers note that comments are still left in Simplified Chinese.

Roaming Mantis previously only targeted Android devices, but now it has been changed to also target iPhones, with users accessing the web via a compromised DNS redirected to a phishing site after being told that they need to login to the app store again.

The page mimics the Apple website, claiming to be 'security.app.com' and asks for user ID, password, card number, card expiration date and CVV of victims. The HTML source of the phishing site also supports 25 languages, with just Bengali and Georgian missing from the full list.


Roaming Mantis Apple phishing page.

Image: Kaspersky Lab

In addition to stealing sensitive information from Android and Apple mobile devices, researchers uncovered that the HTML source code of the Roaming Mantis landing page also contains a special script to be executed in the browser with the purpose of mining cryptocurrency.

When a user connects to the rogue landing page from a PC, a Coinhive Javascript miner is run to exploit the CPU of the machine for maliciously mining Monero. Compared with other attacks, crypocurrency mining is subtle, so users may be left unaware that their machine has been compromised -- at least until performance is impacted by the unwanted task.

See: VPN services 2018: The ultimate guide to protecting your data on the internet

With the addition of these new features and regular updates to the malware combined with the rapid expansion of the campaign, it's likely that "those behind it have a strong financial motivation and are probably well-funded," said Ishimaru.

In the last few months, attacks have spread around the world, with the highest number of infected users in Russia, Ukraine and India. Roaming Mantis also also successfully compromised targets across Europe and even the United States.

While only 150 successful attacks have been identified in the wild, Kaspersky Lab warns that it could only represent a "tiny fraction of the overall picture" because DNS hijacking can make it difficult to identify detections.


Editorial standards