Roaming Mantis group is now distributing iOS cryptominers via malicious content delivery systems

• The Roaming Mantis threat group created a fake Apple phishing page, which when visited by victims, infects their iOS devices with a cryptominer.
• In previous campaigns, Roaming Mantis deployed a cryptominer that targeted PCs.

The Roaming Mantis threat group is back in action. In previous campaigns, the group spread their malware - MoqHao and XLoader - by disguising them as legitimate apps like Facebook and Chrome. Researchers discovered that Roaming Mantis’ malware now supports 27 different languages. In their most recent campaign, the cybercriminals are targeting iOS devices with a cryptominer.

In their latest campaign, the Roaming Mantis threat group created a fake Apple phishing page, which when visited by victims, infects their iOS devices with a cryptominer. When a victim visits the phishing site, a blank page is displayed on the victim’s iOS devices. Meanwhile, in the background, the CPU usage of the device immediately spikes to 90 percent.

“One thing we noticed is that the criminals responded to a number of articles and research activities coming from Japan,” Kaspersky Lab researchers, who have been monitoring Roaming Mantis’ activities, said in a blog. “Our deeper investigation revealed that their new malware spreading method was the one used by other Android malware, the ‘sagawa.apk’ delivery system.

“Unfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk” delivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might not. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their Android malware.”

The threat group’s previous campaigns appear to have already compromised thousands of Android devices. Information such as phone numbers, IP addresses, language, email IDs, passwords, names, dates of birth, addresses, credit card information including cvv, bank information, and more was stolen.

According to Kaspersky researchers, Roaming Mantis campaigns have rapidly evolved, expanding targets and using new attack techniques.

“Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos and more,” Kaspersky researchers said. “Judging from the list of stolen credentials, the attackers seem to have stolen a large amount of data from victims worldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.”