Ongoing Malware Campaign Hijacks Routers to Distribute Banking Malware
Recent cybersecurity alerts have emphasized the urgency of addressing a malicious campaign targeting Internet routers. This operation exploits vulnerabilities to distribute Android banking malware, jeopardizing users’ personal data, login credentials, and two-factor authentication codes. Dubbed Roaming Mantis, this sophisticated malware leverages compromised DNS settings in inadequately secured routers, allowing attackers to reroute user traffic to fraudulent sites.
The methodology behind this malware campaign involves manipulating DNS settings to execute a DNS hijacking attack. By intercepting user traffic, cybercriminals can inject rogue advertisements and redirect individuals to phishing websites designed to harvest sensitive information, including banking and login details. This tactic is not novel; previous versions such as DNSChanger and Switcher have demonstrated similar vulnerabilities, where compromised routers redirect users to malicious domains.
Security researchers from Kaspersky Lab discovered the active Roaming Mantis campaign, which has primarily impacted users in several Asian countries—namely South Korea, China, Bangladesh, and Japan—since February of this year. Once DNS settings are Tampered with, victims find themselves directed to counterfeit versions of well-known websites, where they encounter deceptive warnings encouraging them to “update to the latest Chrome version” for an improved browsing experience. This subterfuge masks the malware’s true intent.
Upon visiting these imitation sites, users unknowingly download an application disguised as the legitimate Chrome browser for Android. This application requests extensive permissions, including access to SMS/MMS, audio recording, and managing external storage. If executed, the malicious app quickly overlays other screens with a fake warning stating, “Account No. exists risks; use after certification.”
The subsequent actions taken by Roaming Mantis involve launching a local server on the affected device, which then opens a counterfeit Google site prompting users to input personal information. Notably, this fraudulent webpage displays the user’s Gmail address, enhancing the illusion of legitimacy. Once users submit their details, the malware redirects them to an empty page while capturing information necessary for two-factor authentication, potentially compromising users’ accounts.
Upon further analysis of the malware, researchers noted references to popular South Korean banking and gaming applications, which suggests an intent to target users interested in financial services. This indicates an awareness on the part of attackers regarding their prospective victims’ behaviors and preferences. Furthermore, the malware contains a functionality aimed at identifying whether the infected device is rooted, which can signal the attackers to either halt their operations or exploit additional access capabilities, depending on the device’s security posture.
Interestingly, Roaming Mantis employs a notable innovation in its command-and-control architecture by utilizing profiles on a prominent Chinese social media platform. This allows attackers to deliver commands to infected devices by updating these controlled profiles. Kaspersky’s telemetry data indicates that this malware has been detected over 6,000 times, though reported incidents came from only 150 unique users.
To mitigate the risk of such attacks, it is critical for businesses and individuals alike to ensure their routers are equipped with the latest firmware updates and secured with strong, unique passwords. Disabling remote management features can also reduce exposure, along with configuring trusted DNS servers directly within the router settings.
In conclusion, the Roaming Mantis campaign highlights the vulnerabilities inherent in Internet infrastructures and underscores the pressing need for robust cybersecurity measures. As this situation evolves, staying informed and adopting proactive defenses remains imperative. The tactics exhibited in this attack align with several adversary techniques outlined in the MITRE ATT&CK framework, including initial access through compromised credentials and persistence via modified DNS settings, which collectively reflect a sophisticated and adaptable threat landscape.