The threat actor identified as Roaming Mantis (or Shaoye) has reportedly added a DNS changer perform to its most current cell application Wroba.o to infiltrate WiFi routers and undertake DNS hijacking.
The findings arrive from Kaspersky’s SecureList scientists, who revealed an advisory about Roaming Mantis earlier nowadays.
In accordance to the technical create-up, the risk actor has been conducting a very long-term campaign that employs destructive Android offer (APK) files to control infected Android products and acquire system information and facts.
“Again in 2018, Kaspersky initial saw Roaming Mantis activities concentrating on the Asian location, such as Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a quite helpful method,” reads the advisory.
“From mid-2019 right up until 2022, the criminals predominantly utilized smishing as an alternative of DNS hijacking to produce a malicious URL as their landing website page.”
This web page, Kaspersky wrote, discovered the user’s gadget platform to provide malicious APK documents for Android or redirect to phishing internet pages for iOS.
“In September 2022, we […] found out the DNS changer was carried out to target specific Wi-Fi routers. It obtains the default gateway IP handle as the connected Wi-Fi router IP and checks the gadget design from the router’s admin web interface.”
The security researchers also learned that the characteristic was executed to mostly focus on WiFi routers positioned in South Korea. Victims of Roaming Mantis were also spotted in France, Japan, Germany, the US, Taiwan, Turkey and other locations.
“We believe that the discovery of this new DNS changer implementation is pretty vital in terms of security,” SecureList warned.
“The attacker can use it to manage all communications from units applying a compromised Wi-Fi router with rogue DNS settings. For occasion, the attacker can redirect to destructive hosts and interfere with security product or service updates.”
Kaspersky explained they see the probable for the group to use the DNS changer to target other locations and trigger major issues. To enable firms place Roaming Mantis’ Wroba.o infections, a record of indicators of compromise (IoC) is offered in the SecureList advisory.
Its publication will come months right after Google declared it is ever more improving upon Android security with memory-protected programming languages.
Some parts of this article are sourced from:
www.infosecurity-magazine.com