The Roaming Mantis operation began attacking users of Android and iOS in France after attacking targets in Germany, Taiwan, South Korea, Japan, the US, and the UK. Tens of thousands of devices were probably compromised as a result.
In February, Roaming Mantis began targeting consumers in Europe. It is thought that this threat actor is motivated by money.
Recently, a campaign was noticed in which the threat actor used SMS communication to trick consumers into installing malware on their Android handsets. A phishing page for Apple credentials is sent to the potential victim if they are an iOS user.
Dropping XLoader
Researchers at the cybersecurity firm SEKOIA claim in a report that the Roaming Mantis group is currently dumping the XLoader (MoqHao) payload on Android devices, a potent virus that includes capabilities like remote access, information stealing, and SMS spamming.
The current Roaming Mantis effort, which is aimed at French users, begins with an SMS sent to potential victims pleading with them to follow a URL.
A package has been sent to them, and the text message notifies them that they need to review it and arrange for delivery.
The user is taken to a phishing page that steals Apple credentials if they are using an iOS device and are situated in France. Android users are directed to a website that provides the mobile app installation file (an Android Package Kit – APK).
Customers outside of France Attack terminates when a 404 error is displayed on Roaming Mantis’ servers.
Risky rights like SMS interception, making phone calls, reading and writing storage, managing system warnings, collecting accounts list, and more are requested by the APK as it runs and imitates a Chrome installation.
To avoid detection, hardcoded Imgur profile destinations that are encoded in base64 are used to retrieve the command and control (C2) configuration.
The victim pool may be considerable, as SEKOIA reported that over 90,000 different IP addresses have so far requested XLoader from the primary C2 server.
It’s unknown how many iOS users have provided their Apple iCloud login information on the Roaming Mantis phishing page, but it may be the same number or perhaps higher.
Infrastructure details
Roaming Mantis’ infrastructure hasn’t undergone significant modification since team Cymru’s previous investigation of it in April, according to SEKOIA’s analysts.
The same certificates that were found in use in April are still being used, and the servers still have open ports at TCP/443, TCP/5985, TCP/10081, and TCP/47001.
According to SEKOIA in the report, “Domains used inside SMS messages are either registered with Godaddy or use dynamic DNS services like duckdns.org.”
The intrusion set uses more than a hundred subdomains, and each IP address is resolved by dozens of FQDNs.
It’s interesting to note that the smishing (SMS phishing) operation uses different C2 servers than those utilised by XLoader, and the analysts were able to locate nine of those located on EHOSTIDC and VELIANET Autonomous Systems.
