Posted on May 22, 2018 at 3:50 PM
New malware reported by Kaspersky Lab back in April 2018 called Roaming Mantis seems to be evolving. The multilingual malware has a goal of stealing data from the infected devices, and it seems to have expanded its skill set to include phishing and crypto mining.
Recently discovered malware rapidly evolves
About a month ago, in April, a group of researchers from Kaspersky Lab has published a blog post about a new, multilingual malware. The malware was called Roaming Mantis, and according to the report, it can infect Android devices via DNS hijacking.
The malware seems to be in a process of evolving, and it does so at a rapid rate, said the researchers. Its goal is to infect as many Android devices as possible in order to capture sensitive data. It is believed that the malware supports around 27 languages now, which narrows down its coverage to Europe and parts of Asia. Its new additions are now also including the infection of iOS devices which are used for phishing attacks, as well as PCs, which the attackers then use for crypto mining.
The blog post says that the malware is now covering an entire specter of various activities, which include mining cryptocurrencies, stealing sensitive info, and performing phishing attacks.
One of the researchers from Kaspersky Lab, Suguru Ishimaru, has also said that the researchers have analyzed this malware’s previous campaign. According to him, the Roaming Mantis has been evolving rapidly, and the researchers found a lot of additional functionalities that were not there before.
The malware now covers 27 languages, including English, Chinese, Russian, Hebrew, Hindi, and others. At first, it was only covering five languages, but thanks to an expansion that includes automatic translator, it can now do much more. The entire list was published here.
How and where does it work?
So far, the only way for this malware’s distribution is DNS hijacking, and it was reported to be active in Bangladesh, South Korea, India, as well as Japan. Apart from these countries, it also has a strong presence in the Middle East and most of Europe. The malware is also known as XLoader and MoqHao, and it works by redirecting its victims to malicious websites. It does so by infecting Chrome and Facebook via fake apps called chrome.apk and facebook.apk.
The report also says that the app needs to be manually installed by the tricked victim and that it contains Android Trojan-Banker. One interesting thing regarding the app is that the comments posted on it are in a simplified version of Chinese.
In order for this malware to hijack iOS devices, it has to use a fake page that is designed to mimic Apple’s website. It poses as a security.app.com, and the page asks the user to enter their ID, password, as well as CVV, card number, and expiration. Out of the total of 27 languages that malware is now covering, only two are eliminated when it comes to iOS hijacking, and those are Georgian and Bengali.
Kaspersky’s researchers have stated that Coinhive is currently among the most popular web miners when it comes to hackers and other cybercriminals. They added that around 150 attacks were observed, but even this is just a small fraction of the true number of victims. This is because the infected devices are very difficult to identify when DNS hijacking is the method of infection.