Go to listing page

Roaming Mantis' New DNS Changer Function to Target Public Routers

Roaming Mantis' New DNS Changer Function to Target Public Routers
Roaming Mantis, aka Shaoye, has added a DNS changer function to its Android malware Wroba.o/Agent.eq (aka Moqhao, XLoader) to infiltrate Wi-Fi routers in public places. It was found to be active throughout 2022 and, in the last few months, it has upgraded its tools and tactics.

Implementation of DNS changer function

According to Kaspersky researchers, Roaming Mantis is using the newer variant of Wroba.o that contains code and hardcoded strings for checking the Wi-Fi router model from the router’s admin web interface.
  • Attackers have successfully implemented the DNS changer functionality to target Wi-Fi routers located in South Korea using these hardcoded strings.
  • The DNS changer connects to the hardcoded vk[.]com account to get the next destination, which dynamically provides the criminal’s current rogue DNS IP addresses.
  • Finally, the DNS changer uses a hardcoded default ID and password and generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model.

The DNS server used by the group only resolves certain domain names to specific landing pages when accessed from a mobile device, which is likely a tactic to hide its activity from security researchers.

Targeted regions

Researchers confirmed that since September 2022, the group has been using the malware with the new DNS changer functionality to mainly target South Korea.
  • Attackers are targeting other regions using smishing instead of DNS changers. 
  • Between September and December, the highest detection rate of Wroba.o malware was in France (54.4%), Japan (12.1%), and the U.S. (10.1%).
  • According to the number of malicious APK downloads, in the first half of December, the most affected region was Japan (24,645), followed by Austria (7,354), France (7,246), Germany (5,827), South Korea (508), Turkey (381), Malaysia (154), and India (28).

Experts predict that attackers may soon implement the DNS changer functionality to target Wi-Fi routers in these regions.

The bottom line

The discovery of the new DNS changer functionality is highly critical for the security of Android users. Attackers using this functionality can manage all communications from devices using a compromised Wi-Fi router. Moreover, they can redirect to malicious hosts and interfere with security product updates. Android users are suggested to avoid clicking on links received via SMS and avoid installing APKs outside Google Play.
Cyware Publisher