Roaming Mantis malware evolves into crytomining and iOS phishing.

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     Recent analysis shows that the Mantis mobile banking troan is evolving rapidly in the past month. It's now targeting Europe and the Middle East in addition to Asian countries. According to researchers, it's expanding its capabilities to include cryptomining and iOS phishing. Roaming Mantis is a mobile malware which has been spreading by DNS hijacking. Potential victims are typically redirected to a malicious webpage that distributes a trojanized application that pretends to be either Facebook or Chrome. Once installed manually by users, a trojan banker will execute.

     Roaming Mantis has evolved quickly according to Kaspersky Lab's researcher Suguru Ishimaru. The hackers behind it have been quite active in improving their tools. The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded. On the global front, Roaming Mantis was seen this month to have significantly tweaked its landing pages and malicious APK files to support 27 languages, a serious expansion from the four languages it used in attacks just a month ago. In attakcs found in April, its activity was located mostly in Bangladesh, Japan and South Korea, according to Ishimaru. Researchers confirmed that several more languages have been hardcoded in the HTML source of the landing page. The expansion is catching more victims. South Korea, Bangladesh and Japan are no longer the worst affected countries, now attacks are more focused on Russia, Ukraine and India.




     In addition to widening its target, an analysis of the Roaming Mantis code reveals the hackers behind the malware have added a phishing option that targets iOS device users and a cryptomining option targeting PCs. This is a departure from the group's primary focus on the Android platform. When a user connects to the page on their iOS device, the user is redirected to [http://security.apple.com/]. Real DNS servers wouldn't be able to resolve the domain because it doesn't exist. However, a user connecting via a hacked router can access the landing page because the rogue DNS service resolves this domain to the IP address [172.247.116.155]. The final page is a phishing page mimicking the Apple website with the very reassuring domain name in the address bar of the browser.

     The phishing site steals user IDs, passwords, card numbers, card expiration dates and CVVs. Here is where the HTML source of the phishing site supported 25 languages. The hackers have also added a new feature such as web mining via a the CoinHive script executed in the browser. When a user connects to the page from a PC, the CPU usage will drastically increase because of the cryptomining activity in the browser.



     The methods used by Roaming Mantis to evade security measures have also become more sophisticated. Several examples of recent additions include a new method of retrieving the C2 by using the email POP protocol, server-side dynamic auto-generation of changing APK file names, and the inclusion of an additional command to potentially assist in identifying research environments. The dynamic auto-generation helps avoid blacklisting.

     The researchers also observed that all the downloaded malicious APK files are unique due to package generation in real time as of May 16, 2018. It seems the hackers added automatic generation of APK per download to avoid blacklisting by file hashes. In the most recent sample, instead of using HTML protocol, Roaming Mantis uses email protocol to retrieve the C2. The malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email subject in Chinese and extracts the real C2 address using the string "abcd" as an anchor.