Kaspersky discovered that a malicious campaign dubbed Roaming Mantis, previously targeting mostly Asian regions, is expanding its infections via actively smishing (attacking through phishing mobile text messages and redirecting users to malicious content) new targets in Germany and France. The actor behind the campaign spreads mobile malware and phishing pages to collect targets’ private information and steal their money. The infected device then sends SMiShing messages to the next set of targets, like those that are in the user’s list of contacts for example.
In April 2018, Kaspersky researchers first discovered the Roaming Mantis. At the time, these cybercriminals only infected Android smartphones and targeted mostly Asian regions (South Korea, Bangladesh, and Japan). The campaign has evolved significantly in a short period of time. Since 2018, they have used various attack methods such as phishing, mining, smishing, and DNS-hijacking. The group has now expanded its geography, adding European countries to its main target regions.
Typically, the smishing messages contain a very short description and a URL to a landing page. If a user clicks on the link and opens the landing page, there are two scenarios in the Roaming Mantis campaign. In the first scenario, if it’s an iOS user, they are redirected to a phishing page imitating the official Apple website and are prompted to input the credentials. In the second scenario, the Android device gets infected by malware after clicking on the link in the smishing message. Then the actor starts sending SMiShing messages to new targets via the infected device, both from the user’s list of contacts and generated phone numbers. SMS texts, as a more personal communication channel, also naturally lower a person’s defenses against threats, as users usually do not expect to receive a malicious message from the people they know. This campaign against both iOS and Android users in France and Germany was so active that the police and local media published SMiShing alerts.
The actor sets up a feature so that it always checks the region of the infected Android device in order to display a phishing page in the corresponding language. In previous versions it was only used to check for three regions: Hong Kong, Taiwan, and Japan. Kaspersky experts observed an update in the latest version of the payload part, and now Germany and France have been added as new regions. Using the native language of targets allows the actor to manipulate a user’s decision-making and eventually convinces them to share their personal information and bank details.
Compared to earlier versions, there is also a new modification in the backdoor commands. The developer added backdoor commands to steal photos from infected devices, but information on how exactly the actor uses stolen pictures has not yet been found. However, cybercriminals often use personal photos to get money through blackmail or sextortion.
“Roaming Mantis has actively evolved over the past five years, coming up with new ways to attack, as well as expanding the territory of targeted countries. We predict these attacks will continue in 2022 because of the strong financial motivation, especially with the advent of new backdoor features that allow the actor to use victims’ photos. To keep users around the world safe, we are constantly researching and reporting on the latest Roaming Mantis activity,” comments Suguru Ishimaru, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Read the full report about the Roaming Mantis part VI on Securelist.
To protect yourself from the Roaming Mantis attacks of smishing, Kaspersky recommends the following:
- Do not open suspicious URLs sent by SMS messages. Even if the message does not look suspicious, please cross-check the domain of the URL before accessing it.
- Even if a message or email came from one of your best friends, remember that their accounts could also have been hacked – remain cautious in any situation. Even if a message seems friendly, treat links and attachments with attention.
- Messages from official organizations, such as banks, tax agencies, online shops, travel agencies, airlines, and so on, also require scrutiny – even internal messages from your own office. It’s not that hard to fabricate a fake letter that looks real.