Roaming Mantis Seen using DNS Changer

Researchers discovered that the threat actor known as Roaming Mantis has  added a DNS changer function to its latest mobile app Wroba.o to infiltrate WiFi routers and undertake DNS hijacking.

The threat actor has been conducting a long-term campaign that uses malicious Android package files to control infected Android devices and obtain device information.

Researchers initially in 2018 saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea, and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. But through mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page.

The malicious URL identified the user’s device platform to deliver malicious APK files for Android or redirect to phishing pages for iOS. In September 2022, researchers discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP and checks the device model from the router’s admin web interface.

The security researchers also discovered that the feature was implemented to mainly target WiFi routers located in South Korea. Victims of Roaming Mantis were also spotted in France, Japan, Germany, the US, Taiwan, Turkey, and other regions.

The discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with rogue DNS settings.

This research was documented by researchers from Kaspersky Securelist

Indicators of Compromise

Wroba.o

• 2036450427a6f4c39cd33712aa46d609
• 8efae5be6e52a07ee1c252b9a749d59f
• 95a9a26a95a4ae84161e7a4e9914998c
• ab79c661dd17aa62e8acc77547f7bd93
• d27b116b21280f5ccc0907717f2fd596
• f9e43cc73f040438243183e1faf46581

Domains of landing pages:

• 1hy5.cwdqh[.]com
• 3.wubmh[.]com
• 3y.tmztp[.]com
• 53th.xgunq[.]com
• 5c2d.zgngu[.]com
• 5.hmrgt[.]com
• 8.ondqp[.]com
• 9v.tbeew[.]com
• d.vbmtu[.]com
• g.dguit[.]com
• j.vbrui[.]com
• k.uvqyo[.]com
• kwdd.cehsg[.]com
• mh.mgtnv[.]com
• o.wgvpd[.]com
• r48.bgxbm[.]com
• t9o.qcupn[.]com
• vj.nrgsd[.]com
• w3.puvmw[.]com
• xtc9.rvnbg[.]com
• y.vpyhc[.]com

IPs of landing pages:

• 103.80.134[.]40
• 103.80.134[.]41
• 103.80.134[.]42
• 103.80.134[.]48
• 103.80.134[.]49
• 103.80.134[.]50
• 103.80.134[.]51
• 103.80.134[.]52
• 103.80.134[.]53
• 103.80.134[.]54
• 134.122.137[.]14
• 134.122.137[.]15
• 134.122.137[.]16
• 199.167.138[.]36
• 199.167.138[.]38
• 199.167.138[.]39
• 199.167.138[.]40
• 199.167.138[.]41
• 199.167.138[.]43
• 199.167.138[.]44
• 199.167.138[.]45
• 199.167.138[.]48
• 199.167.138[.]49
• 199.167.138[.]51
• 199.167.138[.]52
• 27.124.36[.]32
• 27.124.36[.]34
• 27.124.36[.]52
• 27.124.39[.]241
• 27.124.39[.]242
• 27.124.39[.]243
• 91.204.227[.]131
• 91.204.227[.]132
• 91.204.227[.]144
• 91.204.227[.]145
• 91.204.227[.]146

Rogue DNS:

• 193.239.154[.]15
• 193.239.154[.]16
• 193.239.154[.]17
• 193.239.154[.]18
• 193.239.154[.]22

Suspicious accounts/pages of some legitimate services for obtaining C2s

• http://m.vk[.]com/id668999378?act=info
• http://m.vk[.]com/id669000526?act=info
• http://m.vk[.]com/id669000956?act=info
• http://m.vk[.]com/id674309800?act=info
• http://m.vk[.]com/id674310752?act=info
• http://m.vk[.]com/id730148259?act=info
• http://m.vk[.]com/id730149630?act=info
• http://m.vk[.]com/id761343811?act=info
• http://m.vk[.]com/id761345428?act=info
• http://m.vk[.]com/id761346006?act=info
• https://www.youtube[.]com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about
• https://docs.google[.]com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
• https://docs.google[.]com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

C&C

• 91.204.227[.]32
• 91.204.227[.]33
• 92.204.255[.]173
• 91.204.227[.]39
• 118.160.36[.]14
• 198.144.149[.]131