Roaming Mantis SMSishing campaign now targets Europe

Roaming Mantis SMSishing campaign now targets Europe

The Roaming Mantis SMS phishing campaign is now targeting Android and iPhone users in Europe with malicious apps and phishing pages.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan were redirecting users to compromised websites. Roaming Mantis is a credential theft and malware campaign that takes advantage of smishing to distribute malicious Android apps in the format of APK files.

Investigations conducted by Kaspersky Lab indicated that the attack was targeting users in Asia with fake websites optimized for English, Korean, Simplified Chinese and Japanese. The most affected users were in Bangladesh, Japan and South Korea.

In the latest wave of attacks aimed at spreading phishing links via SMS messages (SMishing), most of the victims were users from Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam.
Now the roaming Mantis SMS phishing campaign is targeting Android and iPhone users in Germany and France with malicious apps and phishing pages.

Beginning in April 2019, the campaign began using a new landing page to target iOS devices in an attempt to trick victims into installing a malicious iOS mobile configuration.
The configuration allows the phishing site to be launched in a web browser and to collect information from the target device.
In recent roaming Mantis campaigns, operators employed a Trojan named ‘Vroba’ in attacks aimed at users in France and Germany. The transition chain starts with an SMS in which

“Our latest research into roaming Mantis shows that the actor is focusing on expanding the transition by retorting users in Europe. The campaign was so active in France and Germany that it came to the attention of the German police and the French media. They alerted users to smashing messages and compromised websites used as landing pages. Reads the analysis published by Kaspersky.

The transition chain begins with an SMS text to the target device, with an included URL containing a warning message about a shipped package.
Upon clicking the link, the victim is redirected to a phishing page designed to steal the user’s Apple login credentials

If the victim uses an Android device, they will be redirected to a page that attempt to trick them into installing malware disguised as an Android app. Below are some of the impersonated apps, containing Wroba, used in this campaign:

roaming mantis 2

Roaming Mantis operators employed various obfuscation techniques in the landing page script in order to evade detection.

The analysis of Wroba.g/Wroba.o samples revealed several modifications in the loader module and payload.

The Wrogba loader and payload are now written in Kotlin, instead of Java that was used in the past as a programming language. Another change is related to the list of commands supported by the backdoor that now includes “get_gallery” and “get_photo” that allows operators to steal the victim’s photos and videos.

“It has been almost four years since Kaspersky first observed the Roaming Mantis campaign. Since then, the criminal group has continued its attack activities by using various malware families such as HEUR:Trojan-Dropper.AndroidOS.Wroba, and various attack methods such as phishing, mining, smishing and DNS poisoning. In addition, the group has now expanded its geography, adding two European countries to its main target regions.” concludes Kaspersky. “We predict these attacks will continue in 2022 because of the strong financial motivation.”