Researchers from Kaspersky observed Roaming Mantis threat actors using an updated variant of their mobile malware Wroba to compromise Wi-Fi routers and hijack DNS settings.
Roaming Mantis surfaced in March 2018 when hacked routers in Japan to redirect users to compromised websites. Roaming Mantis is a credential theft and malware campaign that leverages smishing to distribute malicious Android apps in the format of APK files.
Investigation by Kaspersky Lab in 2018 indicates that the attack targeted users in Asia with fake websites customized for English, Korean, Simplified Chinese, and Japanese. Most of the impacted users were in Bangladesh, Japan, and South Korea.
Over the years, the threat actors targeted users worldwide, including Russia, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, Vietnam, and Europe.
In September 2022, Kaspersky researchers analyzed the new Wroba variant and discovered that it was designed to target specific Wi-Fi routers mainly used in South Korea.
“Kaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.” reads the report published by Kaspersky.
