As discovered by Kaspersky researchers, the Roaming Mantis threat group has continued expanding their cybercriminal campaign capabilities by adding web crypto mining for iOS, and new methods of spreading through SMS and prezi.com.
Kaspersky's GReAT (Global Research & Analysis Team) first got wind of the Roaming Mantis (aka MoqHao or XLoader) campaign in April 2018 when they uncovered the use of DNS hijacking to compromise Android devices and install an Android Trojan-Banker.
Furthermore, in May, Roaming Mantis discovered that Roaming Mantis expanded their operations to more languages and were now also using multilingual phishing and mining malware to compromise and infect their targets.
In June, Roaming Mantis was found by the Japanese security researchers from LAC Co Ltd infiltrating vulnerable routers using sets of default usernames and passwords, subsequently changing the DNS servers to rogue DNS servers they controlled.
Since then, GReAT also learned about some other types of malicious methods and tools Roaming Mantis have added to their arsenal, the first one being the switch from credential phishing websites on iOS devices to web crypto mining. They have switched to the phishing sites though after Kaspersky's team found out about it.
Roaming Mantis have added multiple new tools to their attack and propagation arsenal since June 2018
Roaming Mantis added some extra spreading capabilities, now using phishing text messages which contain malicious URLs designed to redirect the user to a website which installs the FakeSpy Android malware that steals information from Korean and Japanese users.
The cyber crooks also use the prezi.com website which hosts dynamic presentations. The victims are redirected to a specially crafted presentation containing code which would send them to malicious web pages created to either install malware or use the target's computer as a crypto miner. This propagation method is not working at the moment because of coding errors made by the crooks.
GReAT also found a database of records containing more than 4800 entries (in June 2018), with passwords, banking, and credit card info, as well as names, phone numbers, and personal information, which they consider to be data collected during the Roaming Mantis campaign.
As mitigation measures, GReAT recommends Android users to disable the option which allows their device to install applications from third-party repositories.