The Roaming Mantis cyber threat crew (aka Shaoye) are compromising Wi-Fi routers in public locations, such as cafes, libraries, hotels and airports, to spread its Android malware known as Wroba.o (aka Agent.eq, Moqhao, XLoader).
What Kaspersky Found
Kaspersky discovered that Roaming Mantis recently showed domain name system changer functionality in its Wroba.o malware. The malware was primarily used in a recent campaign in South Korea, Kaspersky said, but could spread to other geographic regions. Indeed, a recent operation using smishing (SMS phishing texts) instead of DNS changers occurred in Europe, Japan and other countries.
According to Kaspersky, a DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of Roaming Mantis instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.
Roaming Mantis has been running hijacking operations since at least 2018, but the twist is now the malware targets specific routers to spread infections, Kaspersky said. Right now, the DNS changer campaign is aimed at routers located in South Korea and made by a single network equipment manufacturer. To identify routers to attack, Roaming Mantis secures the router’s IP address and checks the router’s model and then overwrites the DNS settings.
Roaming Mantis' Tactics Expand
The Roaming Mantis cyber gang is using more than the DNS changer tactic to compromise mobile devices. Other regions of the world have been attacked using smishing techniques to load malware onto a device. Kaspersky believes that the hijackers may use an updated DNS changer to also target Wi-Fi routers in those regions.
Overall, from September through December 2022, the highest detection rate of Wroba.o malware was in France (54.4%), Japan (12.1%) and the U.S. (10.1%), Kaspersky’s data showed.
Commenting on the current situation, Suguru Ishimaru, senior security researcher at Kaspersky, said:
“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well. The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.”
How to Protect Your Organization
Kaspersky recommends that mobile device users take the following measures to protect their internet connection from the Wroba.o infection:
- Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
- Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
- Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
- Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.