Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers

Woburn, MA – January 19, 2023 – Immediately Kaspersky researchers reported on a brand new area identify system (DNS) changer performance used within the notorious Roaming Mantis marketing campaign. Cybercriminals have demonstrated they will use compromised public Wi-Fi routers to attempt to infect extra Android smartphones with the marketing campaign’s Wroba.o malware. Attackers used the brand new approach towards customers in South Korea, nevertheless it might be quickly carried out in different nations as effectively. 

Roaming Mantis (a.okay.a Shaoye) is a cybercriminal marketing campaign first noticed by Kaspersky in 2018. It makes use of malicious Android bundle (APK) recordsdata to manage contaminated Android gadgets and steal machine data. It additionally has a phishing possibility for iOS gadgets and cryptomining capabilities for PCs. The identify of the marketing campaign relies on its propagation through smartphones roaming between Wi-Fi networks, doubtlessly carrying and spreading the an infection.

New DNS changer performance to assault extra customers through public routers

Kaspersky found that Roaming Mantis lately launched a website identify system (DNS) changer performance in Wroba.o (a.okay.a Agent.eq, Moqhao, XLoader), the malware that was primarily used within the marketing campaign. DNS changer is a computer virus that directs the machine related to a compromised Wi-Fi router to a server below the management of cybercriminals as a substitute of a reliable DNS server. On the malicious touchdown web page, the potential sufferer is prompted to obtain malware that may management the machine or steal credentials.

In the mean time, the menace actor behind Roaming Mantis is solely concentrating on routers situated in South Korea and manufactured by a highly regarded South Korean community gear vendor. To determine them, the brand new DNS changer performance will get the router’s IP tackle and checks the router’s mannequin, compromising focused ones by overwriting the DNS settings. In December 2022, Kaspersky noticed 508 malicious APK downloads within the nation (see the Desk 1). 

An investigation of malicious touchdown pages discovered that attackers are additionally concentrating on different areas utilizing smishing as a substitute of DNS changers. This method employs textual content messages to unfold malicious hyperlinks that direct the sufferer to a malicious website to obtain malware onto the machine or steal person data through a phishing web site. Japan topped the listing of focused nations with practically 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France adopted with roughly 7,000 downloads every. Germany, Turkey, Malaysia and India rounded out the listing. Kaspersky researchers predict that the perpetrators might quickly replace the DNS changer perform to focus on Wi-Fi routers in these areas as effectively. 

Nation   Variety of downloaded malicious APK 
Japan 24,645
Austria 7,354
France 7,246
Germany 5,827
South Korea 508
Turkey 381
Malaysia 154
India 28

Desk 1. The variety of malicious APK downloads per nation based mostly on investigation of malicious touchdown pages created inside Roaming Mantis marketing campaign, the primary half of December 2022

In response to Kaspersky Safety Community (KSN) statistics in September – December 2022, the best detection price of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). 

“When an contaminated smartphone connects to ‘wholesome’ routers in varied public locations like cafes, bars, libraries, lodges, purchasing malls, airports, and even houses, Wroba.o malware can compromise these routers and have an effect on different related gadgets as effectively,” mentioned Suguru Ishimaru, senior safety researcher at Kaspersky. “The brand new DNS changer performance can handle all machine communications utilizing the compromised Wi-Fi router, resembling redirecting to malicious hosts and disabling updates of safety merchandise. We imagine that this discovery is very important for the cybersecurity of Android gadgets as a result of it’s able to being broadly unfold within the focused areas.” 

To learn the total report on newly carried out DNS changer performance, please go to

In an effort to defend your web connection from this an infection, Kaspersky researchers advocate the next:

  • Seek advice from your router’s person guide to confirm that your DNS settings haven’t been tampered with or contact your ISP for assist.
  • Change the default login and password for the admin net interface of the router and commonly replace your router’s firmware from the official supply.
  • By no means set up router firmware from third get together sources. Keep away from utilizing third-party repositories on your Android gadgets.
  • Additional, all the time examine browser and web site addresses to make sure they’re reliable; search for indicators resembling https when requested to enter information.
  • Contemplate putting in a cell safety resolution, resembling Kaspersky, to guard your gadgets from these and different threats.

About Kaspersky

Kaspersky is a world cybersecurity and digital privateness firm based in 1997. Kaspersky’s deep menace intelligence and safety experience is continually reworking into revolutionary safety options and providers to guard companies, important infrastructure, governments and shoppers across the globe. The corporate’s complete safety portfolio contains main endpoint safety and numerous specialised safety options and providers to struggle refined and evolving digital threats. Over 400 million customers are protected by Kaspersky applied sciences and we assist 240,000 company purchasers defend what issues most to them. Study extra at


Leave a Reply

Your email address will not be published. Required fields are marked *