{"id":108464,"date":"2023-01-19T10:00:06","date_gmt":"2023-01-19T10:00:06","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=108464"},"modified":"2023-01-18T14:57:00","modified_gmt":"2023-01-18T14:57:00","slug":"roaming-mantis-dns-changer-in-malicious-mobile-app","status":"publish","type":"post","link":"https:\/\/securelist.com\/roaming-mantis-dns-changer-in-malicious-mobile-app\/108464\/","title":{"rendered":"Roaming Mantis implements new DNS changer in its malicious mobile app in 2022"},"content":{"rendered":"<p>Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.<\/p>\n<p>Kaspersky has been investigating the actor&#8217;s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o\/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.<\/p>\n<h2 id=\"dns-changer-via-malicious-mobile-app\">DNS changer via malicious mobile app<\/h2>\n<p>Back in 2018, Kaspersky first <a href=\"https:\/\/securelist.com\/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones\/85178\/\" target=\"_blank\" rel=\"noopener\">saw Roaming Mantis activities<\/a> targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. It was identified as a serious issue in both <a href=\"https:\/\/blog.nicter.jp\/2018\/03\/router-dns-hack\/\" target=\"_blank\" rel=\"noopener\">Japan<\/a> and <a href=\"https:\/\/www.boannews.com\/media\/view.asp?idx=67476\" target=\"_blank\" rel=\"noopener\">South Korea<\/a>. Through rogue DNS servers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page. The landing page identified the user&#8217;s device platform to provide malicious APK files for Android or redirect to phishing pages for iOS.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-108466\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01.png\" alt=\"Infection flow with DNS hijacking\" width=\"856\" height=\"369\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01.png 856w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-300x129.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-768x331.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-406x175.png 406w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-370x159.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-650x280.png 650w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192014\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_01-800x345.png 800w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><strong><em>Infection flow with DNS hijacking<\/em><\/strong><\/p>\n<p>In September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP, and checks the device model from the router&#8217;s admin web interface.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-108467\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-1024x399.png\" alt=\"Code for checking Wi-Fi router model\" width=\"1024\" height=\"399\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-1024x399.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-300x117.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-768x299.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-450x175.png 450w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-370x144.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-719x280.png 719w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02-800x311.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192052\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_02.png 1151w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><strong><em>Code for checking Wi-Fi router model<\/em><\/strong><\/p>\n<p>The following strings are hardcoded for checking the Wi-Fi router model:<\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 50%\">\n<ul>\n<li>ipTIME N3-i<\/li>\n<li>ipTIME N604plus-i<\/li>\n<li>EFM Networks ipTIME N604plus-i<\/li>\n<li>EFM Networks &#8211; ipTIME Q104<\/li>\n<li>EFM Networks ipTIME Q104<\/li>\n<li>EFM Networks &#8211; ipTIME Q204<\/li>\n<li>EFM Networks ipTIME Q204<\/li>\n<li>EFM Networks ipTIME V108<\/li>\n<li>EFM Networks ipTIME Q604<\/li>\n<li>EFM Networks ipTIME Q604 PINKMOD<\/li>\n<li>EFM Networks ipTIME N104R<\/li>\n<li>EFM Networks ipTIME N604R<\/li>\n<li>EFM Networks ipTIME Q504<\/li>\n<li>EFM Networks ipTIME N5<\/li>\n<li>EFM Networks ipTIME N604V<\/li>\n<li>EFM Networks ipTIME N104T<\/li>\n<li>EFM Networks &#8211; ipTIME G301<\/li>\n<li>title.n704bcm<\/li>\n<li>title.a8004t<\/li>\n<li>title.a2004sr<\/li>\n<li>title.n804r<\/li>\n<li>title.n104e<\/li>\n<li>title.n104pk<\/li>\n<li>title.a1004ns<\/li>\n<li>title.a604m<\/li>\n<li>title.n104pi<\/li>\n<li>title.a2008<\/li>\n<li>title.ax2004b<\/li>\n<li>title.n104q<\/li>\n<li>title.n604e<\/li>\n<li>title.n704e<\/li>\n<li>title.n704v3<\/li>\n<li>title.n704v5<\/li>\n<li>title.t5004<\/li>\n<li>title.t5008<\/li>\n<li>title.a1004<\/li>\n<li>title.a2003nm<\/li>\n<li>title.a2004sr<\/li>\n<li>title.a5004nm<\/li>\n<li>title.a604sky<\/li>\n<li>title.n2pi<\/li>\n<li>title.n604pi<\/li>\n<li>title.a2004m<\/li>\n<li>title.a3004nm<\/li>\n<li>title.a7ns<\/li>\n<li>title.a8txr<\/li>\n<li>title.ew302nr<\/li>\n<li>title.n602e<\/li>\n<li>title.t16000<\/li>\n<li>title.a3003ns<\/li>\n<li>title.a6004nm<\/li>\n<li>title.n1e<\/li>\n<li>title.n3i<\/li>\n<li>title.n6<\/li>\n<li>title.a2004ns<\/li>\n<li>title.n1pi<\/li>\n<li>title.a2004r<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 50%\">\n<ul>\n<li>title.n704bcm<\/li>\n<li>title.n600<\/li>\n<li>title.n102e<\/li>\n<li>title.n702r<\/li>\n<li>title.a8004i<\/li>\n<li>title.a2004nm<\/li>\n<li>title.t16000m<\/li>\n<li>title.a8004t<\/li>\n<li>title.a604r<\/li>\n<li>title.a9004x2<\/li>\n<li>title.a3004t<\/li>\n<li>title.n804r<\/li>\n<li>title.n5i<\/li>\n<li>title.n704qc<\/li>\n<li>title.a8004nm<\/li>\n<li>title.a8004nb<\/li>\n<li>title.n604p<\/li>\n<li>title.a604gm<\/li>\n<li>title.a3004<\/li>\n<li>title.a3008<\/li>\n<li>title.n2v<\/li>\n<li>title.ax2004m<\/li>\n<li>title.v504<\/li>\n<li>title.n1p<\/li>\n<li>title.n704bcm<\/li>\n<li>title.ew302<\/li>\n<li>title.n104qi<\/li>\n<li>title.n104r<\/li>\n<li>title.n2p<\/li>\n<li>title.n608<\/li>\n<li>title.q604<\/li>\n<li>title.n104rsk<\/li>\n<li>title.n2e<\/li>\n<li>title.n604s<\/li>\n<li>title.n604t<\/li>\n<li>title.n702bcm<\/li>\n<li>title.n804<\/li>\n<li>title.n3<\/li>\n<li>title.q504<\/li>\n<li>title.a604<\/li>\n<li>title.v308<\/li>\n<li>title.a3004d<\/li>\n<li>title.n104p<\/li>\n<li>title.g104i<\/li>\n<li>title.n604r<\/li>\n<li>title.a2004<\/li>\n<li>title.a704nb<\/li>\n<li>title.a604v<\/li>\n<li>title.n6004r<\/li>\n<li>title.n604p<\/li>\n<li>title.t3004<\/li>\n<li>title.n5<\/li>\n<li>title.n904<\/li>\n<li>title.a5004ns<\/li>\n<li>title.n8004r<\/li>\n<li>title.n604vlg<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>From these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi routers located in South Korea: the targeted models have been used mainly in South Korea.<\/p>\n<p>Next, the DNS changer connects to the hardcoded vk.com account &#8220;id728588947&#8221; to get the next destination, which is &#8220;107.148.162[.]237:26333\/sever.ini&#8221;. The &#8220;sever.ini&#8221; (note the misspelling of se<span style=\"color: #ff0000\">r<\/span>ver) dynamically provided the criminal&#8217;s current rogue DNS IP addresses.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-108468\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-1024x533.png\" alt=\"Rogue DNS from a vk.com hardcoded account to compromise the DNS setting\" width=\"1024\" height=\"533\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-1024x533.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-300x156.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-768x400.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-336x175.png 336w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-370x193.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-538x280.png 538w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03-800x417.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192155\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_03.png 1123w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><strong><em>Rogue DNS from a vk.com hardcoded account to compromise the DNS setting<\/em><\/strong><\/p>\n<p>Checking the code of the DNS changer, it seems to be using a default admin ID and password such as &#8220;admin:admin&#8221;. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model, as follows.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-108469\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04.png\" alt=\"Hardcoded default ID and password to compromise DNS settings using the URL query\" width=\"979\" height=\"356\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04.png 979w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-300x109.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-768x279.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-481x175.png 481w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-370x135.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-770x280.png 770w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16192230\/Roaming_Mantis_newly_implemented_DNS_changer_in_malicious_mobile_app_04-800x291.png 800w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><strong><em>Hardcoded default ID and password to compromise DNS settings using the URL query<\/em><\/strong><\/p>\n<p>We believe that the discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates. In 2016, details of another Android DNS changer were <a href=\"https:\/\/securelist.com\/switcher-android-joins-the-attack-the-router-club\/76969\/\" target=\"_blank\" rel=\"noopener\">published<\/a>, demonstrating why DNS hijacking is critical.<\/p>\n<p>Users connect infected Android devices to free\/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.<\/p>\n<h2 id=\"investigation-of-landing-page-statistics\">Investigation of landing page statistics<\/h2>\n<p>As we mentioned above, the main target regions of the DNS changer were mainly South Korea. However, the attackers not only targeted South Korea but also France, Japan, Germany, the United States, Taiwan, Turkey and other regions. Smishing has been observed to be the main initial infection method in these regions, except South Korea, though we should keep in mind that the criminals may update the DNS changer function to target Wi-Fi routers in those regions in the near future.<\/p>\n<p>In December 2022, we confirmed some landing pages and got an understanding of the number of downloaded APK files. Below are some examples of the download URLs from the landing page statistics.<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td style=\"text-align: center\" width=\"15%\"><strong>Target regions<\/strong><\/td>\n<td style=\"text-align: center\" width=\"20%\"><strong>Landing page IP<\/strong><\/td>\n<td style=\"text-align: center\" width=\"20%\"><strong># of Downloaded APK<\/strong><\/td>\n<td style=\"text-align: center\" width=\"45%\"><strong>Examples of download URLs<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Japan<\/td>\n<td>103.80.134[.]40<br \/>\n103.80.134[.]41<br \/>\n103.80.134[.]42<br \/>\n103.80.134[.]48<br \/>\n103.80.134[.]49<br \/>\n103.80.134[.]50<br \/>\n103.80.134[.]51<br \/>\n103.80.134[.]52<br \/>\n103.80.134[.]53<br \/>\n103.80.134[.]54<\/td>\n<td>24645<\/td>\n<td>http:\/\/3.wubmh[.]com\/chrome.apk<br \/>\nhttp:\/\/5.hmrgt[.]com\/chrome.apk<br \/>\nhttp:\/\/9v.tbeew[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>Austria<\/td>\n<td>199.167.138[.]36<br \/>\n199.167.138[.]38<br \/>\n199.167.138[.]39<br \/>\n199.167.138[.]40<\/td>\n<td>7354<\/td>\n<td>http:\/\/8.ondqp[.]com\/chrome.apk<br \/>\nhttp:\/\/5c2d.zgngu[.]com\/chrome.apk<br \/>\nhttp:\/\/d.vbmtu[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>France<\/td>\n<td>199.167.138[.]48<br \/>\n199.167.138[.]49<br \/>\n199.167.138[.]51<br \/>\n199.167.138[.]52<\/td>\n<td>7246<\/td>\n<td>http:\/\/j.vbrui[.]com\/chrome.apk<br \/>\nhttp:\/\/vj.nrgsd[.]com\/chrome.apk<br \/>\nhttp:\/\/k.uvqyo[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>Germany<\/td>\n<td>91.204.227[.]144<br \/>\n91.204.227[.]145<br \/>\n91.204.227[.]146<\/td>\n<td>5827<\/td>\n<td>https:\/\/mh.mgtnv[.]com\/chrome.apk<br \/>\nhttp:\/\/g.dguit[.]com\/chrome.apk<br \/>\nhttp:\/\/xtc9.rvnbg[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>South Korea<\/td>\n<td>27.124.36[.]32<br \/>\n27.124.36[.]34<br \/>\n27.124.36[.]52<br \/>\n27.124.39[.]241<br \/>\n27.124.39[.]242<br \/>\n27.124.39[.]243<\/td>\n<td>508<\/td>\n<td>http:\/\/<strong><span style=\"color: #009688\">m.naver.com<\/span><\/strong>\/chrome.apk<br \/>\nhttps:\/\/<strong><span style=\"color: #009688\">m.daum.net<\/span><\/strong>\/chrome.apk<br \/>\n(<strong><span style=\"color: #009688\">legitimate domains<\/span><\/strong> because DNS hijacking)<\/td>\n<\/tr>\n<tr>\n<td>Turkey<\/td>\n<td>91.204.227[.]131<br \/>\n91.204.227[.]132<\/td>\n<td>381<\/td>\n<td>http:\/\/y.vpyhc[.]com\/chrome.apk<br \/>\nhttp:\/\/r48.bgxbm[.]com\/chrome.apk<br \/>\nhttp:\/\/t9o.qcupn[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>Malaysia<\/td>\n<td>134.122.137[.]14<br \/>\n134.122.137[.]15<br \/>\n134.122.137[.]16<\/td>\n<td>154<\/td>\n<td>http:\/\/3y.tmztp[.]com\/chrome.apk<br \/>\nhttp:\/\/1hy5.cwdqh[.]com\/chrome.apk<br \/>\nhttp:\/\/53th.xgunq[.]com\/chrome.apk<\/td>\n<\/tr>\n<tr>\n<td>India<\/td>\n<td>199.167.138[.]41<br \/>\n199.167.138[.]43<br \/>\n199.167.138[.]44<br \/>\n199.167.138[.]45<\/td>\n<td>28<\/td>\n<td>http:\/\/w3.puvmw[.]com\/chrome.apk<br \/>\nhttp:\/\/o.wgvpd[.]com\/chrome.apk<br \/>\nhttp:\/\/kwdd.cehsg[.]com\/chrome.apk<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The number of downloaded APK files was reset at the beginning of December 2022. After a few days, we got the above numbers from the landing pages, and it showed us that Android malware was still being actively downloaded for some targeted regions. It also showed us that the most affected region was Japan, followed by Austria and France. From this investigation, we noted that the criminals have now also added Austria and Malaysia to their main target regions.<\/p>\n<p>According to the download URLs for each region above, with the exception of South Korea, it seems that the criminals randomly generated and registered these domains to resolve the IP addresses of the landing page. It seems pretty obvious these domains were used as a link in the smishing for the initial infection. Regarding South Korea, the URLs have a legitimate domain because of DNS hijacking. Resolving the legitimate domain for &#8220;<span style=\"color: #ff0000\">m<\/span>.xxx.zzz&#8221; (for mobile) and &#8220;<span style=\"color: #009688\">www<\/span>.xxx.zzz&#8221; with rogue DNS and legitimate DNS yields the following results, respectively:<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td style=\"text-align: center\" width=\"50%\"><strong>&#8220;m.xxx.zzz&#8221; + rogue DNS<\/strong><\/td>\n<td style=\"text-align: center\" width=\"50%\"><strong>&#8220;www.xxx.zzz&#8221; + rogue DNS<\/strong><\/td>\n<\/tr>\n<tr>\n<td>$ dig <span style=\"color: #ff0000\">m<\/span>.daum.net @ <span style=\"color: #ff0000\">193.239.154.15<\/span><\/p>\n<p>; &lt;&lt;&gt;&gt; DiG 9.18.1-1ubuntu1.2-Ubuntu &lt;&lt;&gt;&gt;<br \/>\nm.daum.net @193.239.154.15<br \/>\n;; global options: +cmd<br \/>\n;; Got answer:<br \/>\n;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status:<br \/>\nNOERROR, id: 15464<br \/>\n;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY:<br \/>\n0, ADDITIONAL: 0<br \/>\n;; WARNING: recursion requested but not available<\/p>\n<p>;;QUESTION SECTION:<br \/>\n;m.daum.net.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A<\/p>\n<p>;; ANSWER SECTION:<br \/>\nm.daum.net.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: #ff0000\">27.124.39.243<\/span><\/p>\n<p>;;Query time: 104 msec<br \/>\n;; SERVER: 193.239.154.15#53(193.239.154.15) (UDP)<br \/>\n;; WHEN: Wed Dec 07 02:09:51 GMT 2022<br \/>\n;; MSG SIZE\u00a0 rcvd: 54<\/td>\n<td>$ dig <span style=\"color: #009688\">www<\/span>.daum.net @<span style=\"color: #ff0000\">193.239.154.15<\/span><\/p>\n<p>; &lt;&lt;&gt;&gt; DiG 9.18.1-1ubuntu1.2-Ubuntu &lt;&lt;&gt;&gt;<br \/>\nwww.daum.net @193.239.154.15<br \/>\n;; global options: +cmd<br \/>\n;; Got answer:<br \/>\n;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status:<br \/>\nNOERROR, id: 40935<br \/>\n;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY:<br \/>\n0, ADDITIONAL: 0<br \/>\n;; WARNING: recursion requested but not available<\/p>\n<p>;; QUESTION SECTION:<br \/>\n;www.daum.net.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A<\/p>\n<p>;; ANSWER SECTION:<br \/>\nwww.daum.net.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: #009688\">121.53.105.193<\/span><\/p>\n<p>;; Query time: 48 msec<br \/>\n;; SERVER: 193.239.154.15#53(193.239.154.15) (UDP)<br \/>\n;; WHEN: Wed Dec 07 02:09:57 GMT 2022<br \/>\n;; MSG SIZE\u00a0 rcvd: 58<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>As you can see, their rogue DNS only works in the mobile domain, which is &#8220;<strong><span style=\"color: #ff0000\">m<\/span><\/strong>.xxx.zzz&#8221;. We believe the criminals only filtered a limited number of domains that can be resolved to their landing page to hide their activity from security researchers.<\/p>\n<h2 id=\"geography-based-on-ksn\">Geography based on KSN<\/h2>\n<p>Our telemetry showed the detection rate of Wroba.o (Trojan-Dropper.AndroidOS.Wroba.o) for each region such as France (54.4%), Japan (12.1%) and the United States (10.1%). When compared with the landing page statistics above, the results are similar in that many detections have been observed in France, Japan, Austria and Germany. On the other hand, while we had previously monitored landing pages for the United States, this time we haven&#8217;t seen those landing pages.<\/p>\n<h2 id=\"conclusions\">Conclusions<\/h2>\n<p>From 2019 to 2022, Kaspersky observed that the Roaming Mantis campaign mainly used smishing to deliver a malicious URL to their landing page. In September 2022, we analyzed the new Wroba.o Android malware and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea. Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable. Kaspersky experts are concerned about the potential for the DNS changer to be used to target other regions and cause significant issues. Kaspersky products detect this Android malware as HEUR:Trojan-Dropper.AndroidOS.Wroba.o or HEUR:Trojan-Dropper.AndroidOS.Agent.eq, providing protection from this cyberthreat to Kaspersky&#8217;s customers and users.<\/p>\n<h2 id=\"iocs\">IoCs<\/h2>\n<p><strong>MD5 of Wroba.o<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2036450427a6f4c39cd33712aa46d609\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">2036450427a6f4c39cd33712aa46d609<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8efae5be6e52a07ee1c252b9a749d59f\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8efae5be6e52a07ee1c252b9a749d59f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/95a9a26a95a4ae84161e7a4e9914998c\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">95a9a26a95a4ae84161e7a4e9914998c<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ab79c661dd17aa62e8acc77547f7bd93\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ab79c661dd17aa62e8acc77547f7bd93<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d27b116b21280f5ccc0907717f2fd596\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d27b116b21280f5ccc0907717f2fd596<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f9e43cc73f040438243183e1faf46581\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f9e43cc73f040438243183e1faf46581<\/a><\/p>\n<p><strong>Domains of landing pages:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1hy5.cwdqh.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1hy5.cwdqh[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/3.wubmh.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">3.wubmh[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/3y.tmztp.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">3y.tmztp[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/53th.xgunq.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">53th.xgunq[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5c2d.zgngu.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5c2d.zgngu[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5.hmrgt.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5.hmrgt[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8.ondqp.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8.ondqp[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9v.tbeew.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9v.tbeew[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d.vbmtu.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d.vbmtu[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/g.dguit.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">g.dguit[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/j.vbrui.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">j.vbrui[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/k.uvqyo.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">k.uvqyo[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/kwdd.cehsg.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">kwdd.cehsg[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mh.mgtnv.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mh.mgtnv[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/o.wgvpd.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">o.wgvpd[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/r48.bgxbm.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">r48.bgxbm[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/t9o.qcupn.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">t9o.qcupn[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/vj.nrgsd.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">vj.nrgsd[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/w3.puvmw.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">w3.puvmw[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/xtc9.rvnbg.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">xtc9.rvnbg[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/y.vpyhc.com\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">y.vpyhc[.]com<\/a><\/p>\n<p><strong>IPs of landing pages:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.40\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]40<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.41\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]41<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.42\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]42<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.48\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]48<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.49\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]49<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.50\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]50<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.51\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]51<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.52\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]52<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.53\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]53<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/103.80.134.54\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">103.80.134[.]54<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/134.122.137.14\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">134.122.137[.]14<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/134.122.137.15\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">134.122.137[.]15<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/134.122.137.16\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">134.122.137[.]16<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.36\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]36<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.38\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]38<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.39\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]39<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.40\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]40<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.41\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]41<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.43\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]43<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.44\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]44<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.45\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]45<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.48\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]48<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.49\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]49<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.51\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]51<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/199.167.138.52\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">199.167.138[.]52<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.36.32\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.36[.]32<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.36.34\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.36[.]34<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.36.52\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.36[.]52<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.39.241\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.39[.]241<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.39.242\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.39[.]242<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/27.124.39.243\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">27.124.39[.]243<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.131\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]131<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.132\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]132<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.144\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]144<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.145\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]145<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.146\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]146<\/a><\/p>\n<p><strong>Rogue DNS:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/193.239.154.15\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">193.239.154[.]15<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/193.239.154.16\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">193.239.154[.]16<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/193.239.154.17\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">193.239.154[.]17<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/193.239.154.18\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">193.239.154[.]18<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/193.239.154.22\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">193.239.154[.]22<\/a><\/p>\n<p><strong>Hardcoded malicious accounts of vk.com to obtain live rogue DNS servers:<\/strong><br \/>\nid728588947<\/p>\n<p><strong>Providing live rogue DNS servers:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/107.148.162.237%3A26333%2Fsever.ini\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">107.148.162[.]237:26333\/sever.ini<\/a><\/p>\n<p><strong>Suspicious accounts\/pages of some legitimate services for obtaining C2s<\/strong><br \/>\nhttp:\/\/m.vk[.]com\/id668999378?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id669000526?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id669000956?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id674309800?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id674310752?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id730148259?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id730149630?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id761343811?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id761345428?act=info<br \/>\nhttp:\/\/m.vk[.]com\/id761346006?act=info<br \/>\nhttps:\/\/www.youtube[.]com\/channel\/UCP5sKzxDLR5yhO1IB4EqeEg\/about<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA%2Fmobilebasic\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.google[.]com\/document\/d\/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA\/mobilebasic<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo%2Fmobilebasic\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.google[.]com\/document\/d\/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo\/mobilebasic<\/a><\/p>\n<p><strong>C&amp;C<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.32\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]32<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.33\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]33<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/92.204.255.173\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">92.204.255[.]173<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/91.204.227.39\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">91.204.227[.]39<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/118.160.36.14\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">118.160.36[.]14<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/198.144.149.131\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">198.144.149[.]131<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.<\/p>\n","protected":false},"author":312,"featured_media":108506,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[908],"tags":[538,34,123,30,76,53,544],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/roaming-mantis-dns-changer-in-malicious-mobile-app\/108464\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108464"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=108464"}],"version-history":[{"count":13,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108464\/revisions"}],"predecessor-version":[{"id":108490,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108464\/revisions\/108490"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/108506"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=108464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=108464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=108464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}