Much like a spy ware marketing campaign lately focusing on Italian customers, the marketing campaign’s kill chain begins with an SMS message despatched to cellphone numbers starting with France’s +33 nation code. The textual content message tells recipients {that a} package deal has been despatched that requires evaluate. The message features a malicious hyperlink that directs customers to completely different locations, relying on sure situations. If the consumer’s IP deal with corresponds to a location exterior of France, the consumer is distributed a 404 error, ending the assault prematurely.
If the sufferer’s cellphone is working Android, the server redirects the sufferer to a web page that shows an alert and makes an attempt to obtain an APK file. If the sufferer runs the APK file and disables the Android safeguards that shield towards putting in apps from unknown sources, it installs a malicious app that mimics the Chrome browser and asks victims to grant it intensive permissions. The XLoader malware contained throughout the app connects to the respectable picture internet hosting service Imgur to retrieve a command-and-control (C2) configuration from a consumer profile. The malware then steals data from the contaminated system and uploads it to the C2 server.
Between the phishing assault focusing on iOS customers and the malware assault focusing on Android customers, Roaming Mantis is ready to acquire entry to a wide variety of private information, in addition to remotely work together with victims’ units. This delicate information and distant entry might later be used to help in extortion of the victims or related companies and establishments.