Phone : +91 9582 90 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Roaming Mantis uses DNS changers to target users via compromised public routers

Roaming Mantis uses DNS changers to target users via compromised public routers

Roaming Mantis uses DNS changers to target users via compromised public routers

 

Roaming Mantis uses DNS changers to target users via compromised public routers

Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the Roaming Mantis campaign.

Now cybercriminals can use compromised Wi-Fi routers in cafes, airports hotels, and other public places to potentially infect more Android smartphones with the Wroba.o malware.

At the moment, the new technique targets users in South Korea, but it can be soon implemented in other countries as well.

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and crypto-mining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

New DNS changer functionality to attack more users via public routers

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader) – the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APKs downloads in the country.

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website.

Japan topped the list of targeted countries with nearly 25 000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7000 downloads each. Germany, Turkey, Malaysia and India rounded the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well.

“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” says Suguru Ishimaru, Senior Security Researcher at Kaspersky.

The new DNS changer functionality, he adds, can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. “We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.”

 

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 9582 90 7788 | Support Number : +91-9654016484
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket