Roaming Mantis is a credential theft and malware campaign that leverages smishing to distribute malicious Android apps in the format of APK files, targeted users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.
The latest attacks aimed at spreading phishing links via SMiShing technique, the prime victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, and Vietnam. Now the Roaming Mantis SMS phishing campaign is targeting Android and iPhone users in Germany and France with malicious apps and phishing pages.
The campaign was using a new landing page to target iOS devices in the attempt to trick victims into installing a malicious iOS mobile configuration. The configuration allows the launch of the phishing site in a web browser and to gather information from the target device using a Wroba trojan
The infection chain starts with an SMS text on the target device, which contains a warning message about a shipped package with an included URL. Upon clicking on the link, a victim is redirected to a phishing page designed to steal the user’s Apple login credentials.
If the victim uses an Android device, they will be redirected to a page that attempt to trick them into installing malware disguised as an Android app. Roaming Mantis operators employed various obfuscation techniques in the landing page script in order to evade detection.
The analysis of Wroba.g/Wroba.o samples revealed several modifications in the loader module and payload. The module was written in Kotlin supporting enhanced backdoor commands such as “get_gallery” and “get_photo”
The criminal group has continued its attack activities by using various malware families such as HEUR:Trojan-Dropper.AndroidOS.Wroba, and various attack methods such as phishing, mining, smishing and DNS poisoning. The group now expanded its activities to other regions of Europe due to its sophisticated nature.
Indicators of Compromise