Malicious actors linked to the Roaming Mantis attack group were seen distributing an updated variation of their patented mobile malware called Wroba to compromise Wi-Fi routers and perform Domain Name System (DNS) theft.
Kaspersky found that the threat actor behind Roaming Mantis only targets routers made by a well-known South Korean network equipment manufacturer that is situated in that country.
Researchers have been tracking the Roaming Mantis malware distribution and credential theft campaign since September 2022. This malware uses an updated version of the Android malware Wroba. o/XLoader to identify susceptible WiFi routers based on its model and modify their DNS.
All Android devices connected to the WiFi network will now experience a redirect to the malicious landing page and a request to install the malware as a result of the router's DNS settings having been altered. Consequently, there is a steady flow of infected devices that can penetrate secure WiFi routers on national public networks that serve a huge number of users.
The attacks use smishing messages as their primary intrusion vector to deliver a booby-trapped URL that, depending on the mobile device's operating system, either provides a malicious APK or directs the user to phishing URLs.
Even though there are no landing pages for American targets and Roaming Mantis does not seem to be specifically targeting American router models, Kaspersky's telemetry reveals that 10% of all XLoader victims are in the United States.
Additionally, the feature was set up to primarily target WiFi routers in South Korea, according to security researchers. Roaming Mantis victims have also been spotted in France, Japan, Germany, the US, Taiwan, Turkey, and other countries.
Kaspersky experts advise consulting one's router's user manual to ensure that its DNS settings have not been modified or contacting your ISP for assistance to safeguard the internet connection from such a virus. Furthermore, updating your router's firmware regularly from the official source is advised, as is changing the router's default login and password for the admin web interface. Avoid using a third-party repository and do not install router firmware from outside sources.
