The recently found DNS hijacking malware that was targeting Android devices has now evolved, and it is capable of targeting iOS and desktop users.
Roaming Mantis malware was initially discovered hijacking Internet routers last month to distribute Android banking malware designed to steal users’ login credentials and the secret code for two-factor authentication.
The criminal group behind the Roaming Mantis campaign has now expanded their phishing attacks to iOS devices and PC users.
The first cyber attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan. Now the new campaign supports 27 languages to infect people across Europe and the Middle East more easily.
Companies and individual people must take certain precautions against this growing phenomenon of cyber attacks; they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems and other firmware, using antivirus for Windows, an antivirus for Mac, or antivirus for Android, depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
Roaming Mantis malware modus operandi
The new Roaming Mantis malware is distributed via DNS hijacking. Hackers make DNS hijacking cyber attacks by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.
Meaning that, whenever users attempt to access any website via a compromised router, they are redirected to malicious websites, which can be:
• fake apps infected with banking malware to Android users,
• phishing sites to iOS users,
• Sites with cryptocurrency mining script to desktop users
To evade detection, the fake websites generate new packages in real time with individual malicious apk files for download, and also set filename as eight random numbers.
If any of the apk apps are installed, the hackers can control the infected Android devices using 19 built-in backdoor commands, including sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more.
iOS device victims have redirected users to a phishing site that mimics the Apple website, named ‘security.app.com,’. The fake site asks victims to enter their user ID, password, card number, card expiration date and CVV number.
Researchers also found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each page visited using a desktop browser.
To protect yourself from such malware, you must keep your router updated to latest version of firmware and protected by a secure password. Also, always check and make sure the sites you are visiting has HTTPS enabled.
Further, it is advised to disable your router’s remote administration feature and hardcode a trusted DNS server into the operating system network settings.
Install apps only from official stores, and disable the installation of apps from unknown sources
Check if your Wi-Fi router is compromised by reviewing your DNS settings and check the DNS server address. If it does not match with the one given by your provider, change it back to the right one and change all your account passwords immediately.
Keep in mind that every device represents a network entry point or a valuable data bank that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your machine is running, install an antivirus for Windows, an antivirus for Mac, or antivirus for Android for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.