Beware Of Roaming Mantis Malware Phishing Marketing campaign Preying On Android And iOS Customers

Whereas malware and phishing are two completely different sorts of cyberattacks, menace actors typically use each strategies in malicious campaigns. A menace actor referred to as Roaming Mantis seems to be doing precisely that in a brand new marketing campaign documented by researchers on the cybersecurity agency SEKOIA. Roaming Mantis has beforehand focused customers in Japan, South Korea, Taiwan, Germany, France, the UK, and the US, distributing the MoqHao Android malware, also referred to as XLoader. The researchers estimate that this new marketing campaign has compromised round 70,000 Android units belonging to French customers.

Much like a spy ware marketing campaign lately focusing on Italian customers, the marketing campaign’s kill chain begins with an SMS message despatched to cellphone numbers starting with France’s +33 nation code. The textual content message tells recipients {that a} package deal has been despatched that requires evaluate. The message features a malicious hyperlink that directs customers to completely different locations, relying on sure situations. If the consumer’s IP deal with corresponds to a location exterior of France, the consumer is distributed a 404 error, ending the assault prematurely.

Nevertheless, if the consumer has a French IP deal with, the malicious server then detects the cellular system working system. Within the case of an Apple system working iOS, the server sends the sufferer to a phishing web page that mimics the French-language Apple ID login web page. Any Apple ID consumer credentials entered into this web page are obtained by the Roaming Mantis menace actor for later use.

If the sufferer’s cellphone is working Android, the server redirects the sufferer to a web page that shows an alert and makes an attempt to obtain an APK file. If the sufferer runs the APK file and disables the Android safeguards that shield towards putting in apps from unknown sources, it installs a malicious app that mimics the Chrome browser and asks victims to grant it intensive permissions. The XLoader malware contained throughout the app connects to the respectable picture internet hosting service Imgur to retrieve a command-and-control (C2) configuration from a consumer profile. The malware then steals data from the contaminated system and uploads it to the C2 server.

Between the phishing assault focusing on iOS customers and the malware assault focusing on Android customers, Roaming Mantis is ready to acquire entry to a wide variety of private information, in addition to remotely work together with victims’ units. This delicate information and distant entry might later be used to help in extortion of the victims or related companies and establishments.