Roaming Mantis Malware Expands Targeting Capabilities to iOS Users and Desktops
Recent reports indicate a significant evolution in the Roaming Mantis malware campaign, which previously focused on compromising Android devices through DNS hijacking. This malware has now broadened its target scope, reportedly affecting iOS devices and desktop users. Researchers from Kaspersky Labs have observed that the criminal group behind Roaming Mantis has leveraged its existing infrastructure to conduct phishing attacks against iOS users and deploy cryptocurrency mining scripts aimed at PC users.
Initially uncovered last month, Roaming Mantis targeted internet routers to redirect traffic towards malicious sites that distributed Android banking malware. This component was designed specifically to obtain sensitive user information, including login credentials and two-factor authentication codes. With the recent updates, the campaign now supports phishing in 27 different languages, significantly broadening its geographical reach beyond its initial focus on Southeast Asia—including countries like South Korea, China, Bangladesh, and Japan—to encompass wider regions such as Europe and the Middle East.
The malware continues to propagate via DNS hijacking. Cyber attackers alter the DNS settings of routers, steering users to counterfeit websites controlled by them. For Android users, these sites deliver malicious applications, while iOS users encounter phishing pages posing as legitimate platforms. For desktop users, the payload consists of scripts that mine cryptocurrency, specifically Monero, utilizing browser resources.
Upon redirecting an Android user to a malicious site, the individual is prompted to download what appears to be a legitimate app update. This often results in the installation of a malicious APK file disguised as a legitimate application, such as Chrome or Facebook. The attackers employ various evasive techniques, including real-time generation of unique malicious files, further complicating detection efforts.
The malware is equipped with an array of commands, enabling attackers to exert control over infected Android devices through functions such as sending SMS messages and accessing installed applications. For iOS devices, the effective phishing scheme involves redirecting users to a seemingly authentic Apple login page where they are prompted to input sensitive information such as usernames, passwords, and credit card details.
This ongoing campaign raises serious concerns regarding the financial motivations behind such sophisticated attacks, suggesting that the perpetrators are well-funded and organized. As the malware gains traction with its multi-platform capabilities, cybersecurity experts strongly recommend that businesses strengthen their defenses.
To mitigate the risks associated with Roaming Mantis, organizations are advised to ensure routers are updated with the latest firmware and secured with robust passwords. It is crucial to avoid using compromised DNS servers and to verify the HTTPS status of websites visited. Additionally, employees should be educated on the importance of downloading applications solely from official app stores and disabling the installation of applications from unknown sources.
Monitoring DNS settings is vital; any discrepancies in the DNS server address may indicate compromise. Businesses that detect unusual activity should act swiftly to change their account passwords and reinforce their cybersecurity protocols.
This incident exemplifies the evolving tactics employed by adversaries, aligning with the MITRE ATT&CK framework’s tactics such as initial access through credential gathering and execution via malicious payloads. The potential for widespread impact underscores the need for a proactive stance in cybersecurity strategies.
