Skip to main content

DNS-HIJACKING MALWARE TARGETING IOS, ANDROID AND DESKTOP USERS WORLDWIDE. Widespread routers' DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users. Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users' login credentials and the secret code for two-factor authentication. According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users. Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East. How the Roaming Mantis Malware Works Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them. So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves: fake apps infected with banking malware to Android users,phishing sites to iOS users,Sites with cryptocurrency mining script to desktop users "After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk)," researchers say. To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers. Once installed, the attackers can control infected Android devices using 19 built-in backdoor commands, including–sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more. If the victims own an iOS device, the malware redirects users to a phishing site that mimics the Apple website, claiming to be 'security.app.com,' and asks them to enter their user ID, password, card number, card expiration date and CVV number. Besides stealing sensitive information from Android and iOS devices, researchers found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each landing page if visited using desktop browsers to mine Monero. Keeping in mind these new capabilities and the rapid growth of the campaign, researchers believe that "those behind it have a strong financial motivation and are probably well-funded." Here's How to Protect Yourself from Roaming Mantis In order to protect yourself from such malware, you are advised to ensure your router is running the latest version of the firmware and protected with a strong password. Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled. You should also disable your router's remote administration feature and hardcode a trusted DNS server into the operating system network settings. Android device users are always advised to install apps from official stores, and disable the installation of apps from unknown sources on their smartphone by heading on to Settings → Security → Unknown sources. To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.

DNS-HIJACKING MALWARE TARGETING IOS, ANDROID AND DESKTOP USERS WORLDWIDE.


Widespread routers' DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.


Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users' login credentials and the secret code for two-factor authentication.


According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.


Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.


How the Roaming Mantis Malware Works


Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.


So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

fake apps infected with banking malware to Android users,phishing sites to iOS users,Sites with cryptocurrency mining script to desktop users


"After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk)," researchers say.





To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.


Once installed, the attackers can control infected Android devices using 19 built-in backdoor commands, including–sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more.


If the victims own an iOS device, the malware redirects users to a phishing site that mimics the Apple website, claiming to be 'security.app.com,' and asks them to enter their user ID, password, card number, card expiration date and CVV number.


Besides stealing sensitive information from Android and iOS devices, researchers found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each landing page if visited using desktop browsers to mine Monero.


Keeping in mind these new capabilities and the rapid growth of the campaign, researchers believe that "those behind it have a strong financial motivation and are probably well-funded."


Here's How to Protect Yourself from Roaming Mantis


In order to protect yourself from such malware, you are advised to ensure your router is running the latest version of the firmware and protected with a strong password.


Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled.


You should also disable your router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.


Android device users are always advised to install apps from official stores, and disable the installation of apps from unknown sources on their smartphone by heading on to Settings → Security → Unknown sources.


To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.


Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...