Si Cyber Intel: Malicious Banking Trojan, Roaming Mantis, Is Back
This week has seen critical threat levels of the malicious banking Trojan known as ‘Roaming Mantis’.
It’s not the first time we’ve heard of this malware, as last month it was found hijacking Internet routers in order to distribute Android banking malware designed to steal login credentials and their secret code for authentication.
According to security researchers at Kaspersky Labs, the malicious DNS hijacking malware is now back on the scene and has morphed into a hybrid with new capabilities including adding phishing attacks for ios devices and a cryptocurrency mining script for desktop users.
To begin with, Roaming Mantis was only targeting users of South Korean, Chinese and Japanese mobile banking apps via their Android phones but the distribution has now widened to include 27 language HTMLs across Europe and the Middle East.
How the Roaming Mantis malware works
The malware works by hijacking the DNS settings of a wireless router to redirect all traffic to a website controlled by the attacker. Once the router is compromised, the user is automatically redirected to a malicious website which poses as a popular website, such as the following:
- Phishing sites targeting ios users – the malicious malware redirects users to fake phishing sites that pose as the Apple website and encourages victims to enter their user ID, password and banking card details
- Android users are greeted by a host of apps which look real but are actually loaded with the banking malware. From there, users are prompted to update their Chrome browser app which then leads to the delivery of Roaming Mantis to their device. Once infected the malware (appearing as their Chrome app) will ask for access to their messages, call functions, external storage and more
- PC users are taken to sites infected with cryptocurrency mining scripts. The malware will prompt the user to certify their device to continue browsing, Roaming Mantis then sends a web browser appearing as a fake Google screen and requests the user’s name and date of birth. That data, along with other information stolen from the device is used to compromise the victim’s account.
How to protect yourself:
- Make sure internet routers at home and in the office are updated with recent patches and security updates
- Verify websites that you are redirected to have HTTPS enabled and are encrypted with trusted certificates
- Avoid installing mobile applications from unknown sources. By default, Google prevents users from installing apps from sources other than the Play Store. We recommend that you leave the installation of apps from unknown sources disabled
- Avoid opening links received by SMS messages, WhatsApp or other applications from unknown sources
- Avoid downloading third-party applications or responding to suspicious messages
For information about Si Cyber’s malware detection and response capabilities, please contact firstname.lastname@example.org