Roaming Mantis hackers lure their victims via smishing attacks

February 18, 2022
Roaming Mantis Hackers Victims Smishing Cyberattacks Phishing

Researchers spotted the Roaming Mantis threat campaign expanding its attack landscape by adding two new European countries, Germany and France, in its scope. This threat campaign has been active since 2018 and has targeted many countries, including the two new ones as their central target regions.

The Roaming Mantis campaign has targeted iOS and Android users in France and Germany by distributing smishing pages and compromised apps. The smishing pages contain a brief description of a phoney delivery package and a redirect link to a website.

Once the target opens the link attached to the smishing message, they will be redirected to a landing page developed by the threat actors. On the other hand, iOS owners are redirected to a phishing page that imitates an authentic Apple website. Researchers believe that the actors designed the fake Apple website to steal their targets’ Apple login credentials.

Meanwhile, Android users are also redirected to a phishing page that spoofs Chrome, ePOST apps, and Yamato transport. Instead of stealing the Android users’ credentials, the threat actors will attempt to download the Wroba malware on their targets’ Android devices.

 

Based on research, the infection chain of Roaming Mantis starts with a smishing message distributed to potential victims in their targeted regions.

 

The threat group has utilised a trojan called Wroba to target Android users by luring them with authentic websites in their latest form.

Furthermore, the campaign has modified the Wroba loader and payload’s programming language from Java to Kotlin. Experts stated that Kotlin is a language that has exceptional interoperability with Java in this recent campaign.

The threat actors have also changed backdoor commands to focus on exfiltrating galleries and images from targeted devices. The threat actors have removed the multidex obfuscation mechanism for unknown reasons.

The Roaming Mantis campaign expands into new countries while improving its efficiency by utilising customized malware strains such as Wroba[.]g and HEUR: Trojan-Dropper.AndroidOS.Wroba. This malware attack shows that the Roaming Mantis is still highly active, and the recent expansion to European nations will grow this year.

About the author

Leave a Reply