Several months after it extended its reach to target European countries, the mobile threat campaign known as Roaming Mantis has been connected to a new wave of breaches focused against French mobile phone users. Sekoia said in a report that the active malware operation is believed to have infected no less than 70,000 Android smartphones.
Attack chains that involve Roaming Mantis, a financially motivated Chinese threat actor, have been known to either deploy a piece of banking trojan known as MoqHao (aka XLoader) or redirect iPhone users to credential-harvesting landing pages that mimic the iCloud login page. Both of these tactics are known to be used to steal login credentials.
Researchers from Sekoia revealed that MoqHao, also known as Wroba or XLoader for Android, is a sort of Android remote access Trojan (RAT) that is capable of collecting information and opening backdoors. It is suspected that the threat most likely spreads via SMS.
It all begins with a phishing SMS, also known as smishing, which lures users in with messages having a topic related to package delivery that contains rogue links that the users should follow. These links, when clicked on, proceed to download the malicious APK file, but only after determining whether the victim is located within the borders of France.
According to the researchers’ findings, the smishing campaign is geofenced and tries to install Android malware or acquire Apple iCloud credentials from the targeted victims.
If the recipient’s device does not use Android or iOS as its operating system – which can be determined by looking at the IP address and the User-Agent string – the server is programmed to respond with a “404 Not found” status code. The same “404 Not found” response appears if the recipient’s location is outside France.
In most cases, MoqHao’s first-stage delivery infrastructure is composed of domains that are created by the dynamic DNS provider Duck DNS. In addition, the malicious program pretends to be the Chrome web browser application to deceive users into giving it the authorization to access private information.
The data-stealing Trojan offers a gateway window for remote interaction with the infected devices, which enables the attackers to silently collect sensitive data such as iCloud data, contact lists, phone history, and SMS messages, amongst other types of information.
In relation to the recent revelations, Sekoia warns that the collected data may be put to use in different extortion schemes or might even be sold to other threat actors for a profit.