Delaware, USA – May 21, 2018 – Roaming Mantis banking trojan now contains 27 languages for attacks on users from Europe and the Middle East. Also, attackers created a phishing page to attack owners of iOS devices. Experts from Kaspersky Lab published a study in which they examined all the changes in the trojan over the last month. Earlier, Roaming Mantis supported only 4 languages and targeted primarily South Korea, Japan and Bangladesh. The researchers suggest that financially motivated Chinese hackers are behind this trojan. They distribute the new version of malware using DNS hijacking and compromised routers that redirect users to attackers’ website from where users download malicious apps. Trojan provides full control over infected devices and gathers data to bypass two-factor authentication in various banking applications. The phishing page for iOS devices collects user credentials and payment card information. Also, attackers started experimental attacks on personal computers: hijacked routers redirect PC users to the page containing Coinhive cryptocurrency miner.
It is worth noting that zero-day vulnerability in DrayTek routers allows attackers to change DNS settings. Traces of this attack also lead to China, but the aims of adversaries are still unclear. DrayTek company published a list of vulnerable devices and promised to release firmware updates as soon as possible.
You can use your SIEM with DNS Security Check to monitor anomalies and DNS misconfigurations in your network. This use case can help detect hijacked routers, DNS tunneling and other threats associated with this protocol.