The mobile threat operation known as Roaming Mantis has been connected to a fresh wave of breaches targeted at French mobile phone users, months after expanding its aim to encompass European countries.
According to a study released by Sekoia last week, the active malware operation is believed to have infected no less than 70,000 Android smartphones. Attack chains led by the financially motivated Chinese threat actor Roaming Mantis are known to exploit the banking trojan MoqHao (also known as XLoader) or drive iPhone users to landing sites that harvest credentials by imitating the iCloud login screen.
“MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS,” said Sekoia researchers.
The process begins with a phishing SMS, or “smishing,” which tempts users with messages about a package delivery that contain malicious links that, when clicked, download the malicious APK file—but only after checking to see if the victim is located within French territory. The server is programmed to respond with a “404 Not found” response code if a receiver is situated outside of France and their device’s operating system is neither Android nor iOS, which can be determined by looking at their IP address and User-Agent string.
“The smishing campaign is therefore geofenced and aims to install Android malware, or collect Apple iCloud credentials,” the researchers highlighted.
MoqHao commonly employs domains produced by the dynamic DNS provider Duck DNS for its first-stage delivery infrastructure. Additionally, the malicious program impersonates the Chrome web browser to deceive users into giving it intrusive access. The spyware trojan offers a window for remote interaction with the compromised devices, allowing the attacker to covertly gather private information, including iCloud data, contact lists, call logs, and SMS messages, among other things.
Sekoia determined that the gathered data may also be sold to other threat actors for profit or used to assist extortion operations. The researchers said that “more than 90.000 unique IP addresses that requested the C2 server distributing MoqHao.”