Geeks for your information
Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: Security (https://www.geeks.fyi/forumdisplay.php?fid=68)
+--- Forum: Security Vendors (https://www.geeks.fyi/forumdisplay.php?fid=87)
+---- Forum: Kaspersky (https://www.geeks.fyi/forumdisplay.php?fid=90)
+----- Forum: Kaspersky Security Blog (https://www.geeks.fyi/forumdisplay.php?fid=142)
+----- Thread: Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers (/showthread.php?tid=18566)



Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers - harlan4096 - 20 January 23

Quote:[Image: sl-abstract-digital-mantis-blue-1200x600.jpg]

Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.

Kaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.

DNS changer via malicious mobile appBack in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. It was identified as a serious issue in both Japan and South Korea. Through rogue DNS servers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page. The landing page identified the user’s device platform to provide malicious APK files for Android or redirect to phishing pages for iOS.
 
[Image: Roaming_Mantis_newly_implemented_DNS_cha...app_01.png]
Infection flow with DNS hijacking
In September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP, and checks the device model from the router’s admin web interface.
 
[Image: Roaming_Mantis_newly_implemented_DNS_cha...24x399.png]
Code for checking Wi-Fi router model

The following strings are hardcoded for checking the Wi-Fi router model:
  • ipTIME N3-i
  • ipTIME N604plus-i
  • EFM Networks ipTIME N604plus-i
  • EFM Networks – ipTIME Q104
  • EFM Networks ipTIME Q104
  • EFM Networks – ipTIME Q204
  • EFM Networks ipTIME Q204
  • EFM Networks ipTIME V108
  • EFM Networks ipTIME Q604
  • EFM Networks ipTIME Q604 PINKMOD
  • EFM Networks ipTIME N104R
  • EFM Networks ipTIME N604R
  • EFM Networks ipTIME Q504
  • EFM Networks ipTIME N5
  • EFM Networks ipTIME N604V
  • EFM Networks ipTIME N104T
  • EFM Networks – ipTIME G301
  • title.n704bcm
  • title.a8004t
  • title.a2004sr
  • title.n804r
  • title.n104e
  • title.n104pk
  • title.a1004ns
  • title.a604m
  • title.n104pi
  • title.a2008
  • title.ax2004b
  • title.n104q
  • title.n604e
  • title.n704e
  • title.n704v3
  • title.n704v5
  • title.t5004
  • title.t5008
  • title.a1004
  • title.a2003nm
  • title.a2004sr
  • title.a5004nm
  • title.a604sky
  • title.n2pi
  • title.n604pi
  • title.a2004m
  • title.a3004nm
  • title.a7ns
  • title.a8txr
  • title.ew302nr
  • title.n602e
  • title.t16000
  • title.a3003ns
  • title.a6004nm
  • title.n1e
  • title.n3i
  • title.n6
  • title.a2004ns
  • title.n1pi
  • title.a2004r
  • title.n704bcm
  • title.n600
  • title.n102e
  • title.n702r
  • title.a8004i
  • title.a2004nm
  • title.t16000m
  • title.a8004t
  • title.a604r
  • title.a9004x2
  • title.a3004t
  • title.n804r
  • title.n5i
  • title.n704qc
  • title.a8004nm
  • title.a8004nb
  • title.n604p
  • title.a604gm
  • title.a3004
  • title.a3008
  • title.n2v
  • title.ax2004m
  • title.v504
  • title.n1p
  • title.n704bcm
  • title.ew302
  • title.n104qi
  • title.n104r
  • title.n2p
  • title.n608
  • title.q604
  • title.n104rsk
  • title.n2e
  • title.n604s
  • title.n604t
  • title.n702bcm
  • title.n804
  • title.n3
  • title.q504
  • title.a604
  • title.v308
  • title.a3004d
  • title.n104p
  • title.g104i
  • title.n604r
  • title.a2004
  • title.a704nb
  • title.a604v
  • title.n6004r
  • title.n604p
  • title.t3004
  • title.n5
  • title.n904
  • title.a5004ns
  • title.n8004r
  • title.n604vlg
From these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi routers located in South Korea: the targeted models have been used mainly in South Korea.

Next, the DNS changer connects to the hardcoded vk.com account “id728588947” to get the next destination, which is “107.148.162[.]237:26333/sever.ini”. The “sever.ini” (note the misspelling of server) dynamically provided the criminal’s current rogue DNS IP addresses.
 
[Image: Roaming_Mantis_newly_implemented_DNS_cha...24x533.png]
Rogue DNS from a vk.com hardcoded account to compromise the DNS setting
Checking the code of the DNS changer, it seems to be using a default admin ID and password such as “admin:admin”. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model, as follows.
 
[Image: Roaming_Mantis_newly_implemented_DNS_cha...app_04.png]
Hardcoded default ID and password to compromise DNS settings using the URL query
We believe that the discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates. In 2016, details of another Android DNS changer were published, demonstrating why DNS hijacking is critical.

Users connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.
...
Continue Reading