DNS hijacker Roaming Mantis malware target OS, Android and Desktop users worldwide

Kaspersky Lab found that Roaming Mantis, a DNS rogue malware for routers targeting Android devices, has now upgraded to iOS devices and desktop users. Initially, the malware was found hijacking a network router last month and was designed to distribute Android banking malware that steals user login credentials and dual authentication passwords. According to Kaspersky Lab’s security researchers, the criminal group behind Roaming Mantis has expanded its target by adding phishing attacks targeting iOS devices and cryptocurrency mining scripts for PC users. In addition, although the initial attack was aimed at targeting users from Southeast Asia, the new activity has evolved to support 27 languages in order to expand the scope of business in Europe and the Middle East.

Similar to the previous version, the new Roaming Mantis malware is distributed through DNS hijacking. The attacker changes the DNS settings of the wireless router and redirects traffic to malicious websites controlled by them. Therefore, when a user attempts to access any website through a compromised router, they are all redirected to malicious websites that can be used to: provide Android users with fake banking malware; provide iOS user phishing websites; provide desktop users with cryptocurrencies Mining the script’s site.

Image: securelist

In order to protect against such malicious software, security researchers gave the following suggestions:

It is recommended that you ensure that your router is running the latest version of firmware and protected with strong passwords. Because hacking activities use an attacker-controlled DNS server to disguise a legitimate domain name and redirect users to malicious download files, it is recommended that you ensure that HTTPS is enabled before accessing the site.

You should also disable the router’s remote management capabilities and hard-code the trusted DNS server into the operating system network settings.

It is recommended that Android users install applications from the official store and set up applications that disable the installation of unknown sources;

Check if your Wi-Fi router has been compromised, check your DNS settings and check the DNS server address. If it does not match your provider’s release, fix it and change all account passwords immediately.

Suggest Reading

Roaming Mantis dabbles in mining and phishing multilingually

Source: thehackernews 

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.