Roaming Mantis, part IV

[harlan4096]

Mobile config for Apple phishing, and re-spreading an updated malicious APK (MoqHao/XLoader)

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics.

Mobile config for Apple phishing

Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, she sees pop-up messages guiding her to the malicious iOS mobile config installation.

After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

The CA contains the suspected developer’s email address, “zeeyf79797@yahoo.co[.]jp”, which could be malicious.

We created a test account for this research and used the account credentials at the phishing site. As soon as the threat actor received the ID and password, the criminals attempted to log in to the account from Hong Kong. After entering the credentials, we were directed to the next page, which tried to steal the two-factor authentication code (PIN) sent to the device.  

Continue Reading