The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
Starting in September 2022, researchers observed the 'Roaming Mantis' credential theft and malware distribution campaign using a new version of the Wroba.o/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS.
The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.
The updated Wroba.o/XLoader Android malware variant was discovered by
Kaspersky researchers, who have been tracking Roaming Mantis activity for years. Kaspersky explains that Roaming Mantis has been using DNS hijacking
since at least 2018, but the new element in the latest campaign is that the malware targets specific routers.
The most current campaign using this updated malware targets specific WiFi router models used mainly in South Korea. Still, the hackers can change it anytime to include routers commonly used in other countries.
This approach allows the threat actors to perform more targeted attacks and compromise only specific users and regions while evading detection in all other cases.
Previous Roaming Mantis campaigns targeted users in Japan, Austria, France, Germany, Turkey, Malaysia, and India.
securelist.com
