A rapidly evolving mobile malware dubbed Roaming Mantis is swarming across the globe with new malicious capabilities and is moving beyond just Android targets. In April, security researchers said Roaming Mantis attacks mostly targeted Android users in South East Asia such as South Korea, Bangladesh and Japan.

Roaming Mantis attacks initially spread via DNS hijacking in which users attempting to access a specific website through a compromised router were automatically redirected to a malicious website that distributed a Trojanised application that pretends to be Facebook or Chrome. Once manually installed by the user, a Trojan banker executes.

In just a month, the creators behind Roaming Mantis - also known as MoqHao and XLoader - have significantly shifted gears to expand geographically and broaden their attack and evasion techniques. Kaspersky Lab researchers said the landing pages and malicious APK files used in the attacks now support 27 languages covering Europe and the Middle East including English, Spanish, Arabic, German, Chinese, Russian, Hebrew, Hindi and Turkish - up from just four languages a month ago.

"We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator," Kaspersky researchers said. "It’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India bore the brunt."

While the previous iteration of Roaming Mantis focused solely on Android devices, the campaign has since evolved to target iOS users with phishing attacks and PCs with cryptomining code.

When targeting iOS devices, users are redirected to a phishing site mimicking the Apple website and claims to be "security.apple.com". The phishing website steals victims' user ID, password, card number, card expiration date and CVV. Researchers said the HTML source of the phishing site also supports 25 languages with just Bengali and Georgian missing from the initial list.

Beyond stealing sensitive information from Android and iOS users, researchers also discovered the HTML source code of the Roaming Mantis landing pages contained a special script to be executed in the browser to mine cryptocurrency. When a user connects to the malicious landing page from a PC, a Coinhive Javascript miner runs to hijack the machine's processing power to mine for Monero coins.

"The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added."

McAfee researchers first identified Roaming Mantis in August 2017 when its distribution method was SMS and its only target was South Korea at the time. By April 2018, it had expanded to implement DNS hijacking and target victims in other Asian countries.

"The Roaming Mantis campaign evolved significantly in a short period of time," Kaspersky Labs said. "The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded."

Cyware Publisher