Story image

Avoidable mistakes lead to iOS cryptomining attacks

Just five months after Kaspersky Lab’s first report on the DNS hijacking operation to infect Android smartphones in Asia, the attack dubbed ‘Roaming Mantis’ remains highly active, exploring new tricks and techniques to extend its reach. Close monitoring by Kaspersky Lab experts discovered Roaming Mantis attempting to web mine iOS devices used for legitimate crypto mining.

The malware banked on the popular CoinHive miner, the tool it first used to infect PCs. Malicious cryptocurrency mining refers to hackers infecting a crypto mining platform to mine cryptocurrency from unaware victims. Researchers also noticed that the hackers have adopted a trial and error approach to testing which technique would get them more money faster. For instance, the attacker modified the infected landing page of the malware, alternately using an Apple phishing site and a web coin-mining page.

Roaming Mantis has also boosted its attack and evasion tools. The group initially hijacked DNS systems of rogue Wi-Fi routers to infect Android users in Japan, Korea, India, and Bangladesh with Trojanized applications named facebook.apk and chrome.apk. The latest updates reveal that facebook.apk has been changed to sagawa.apk and has been spread via a rented SMS message spoofing delivery service.

This technique was first used last year by another cybergang. Kaspersky Lab also uncovered that the attacker spreads its malware via Prezi, cloud-based presentation software that allows free user accounts, making it harder for security products to detect phishing or malicious activities as this site is considered legitimate. In addition, the redirected SCAM content shows that Roaming Mantis uses templates, which suggests that Prezi is an established delivery system for malicious content, too.

Aside from the updated tools and techniques, researchers at Kaspersky Lab spotted careless mistakes committed by the hacking group as they try to dabble in additional types of attacks as fast as possible. Roaming Mantis, also known as MoqHao and XLoader, was launched in four languages and in two months quickly added two dozen more, including Asian languages --- Bengali, both traditional and simplified Chinese, Hindi, Indonesian, Japanese, Korean, Malay, Tagalog, Thai, and Vietnamese.

After this update, researchers detected mixed-ups in the language environment. For instance, Japanese users will get a pop-up message written in Korean. The group also used HTML instead of URL to redirect users to their malicious content, contrary to how Prezi as a delivery system really works.

As a result, the tweaked landing page was not able to infect its target victims. To protect your devices against Roaming Mantis attacks, Kaspersky Lab suggests users do the following:

1. Check your router’s settings.

2. Change the default login and password for admin of your devices, especially when used in crypto mining.

3. Use robust security solutions for all your devices. 4. Do not allow “Install unknown apps.”

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.