Raising money is often anti-climatic --- the fundraising process is done, and it’s right back to execution and growth. It’s important to occasionally sit back and reflect.
The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybersecurity community continues to investigate the attack. HYAS has performed our own research, collected data leveraging our unique sources, and we wanted to share some unique insights that add to the industry’s understanding of this attack. This blog delves into the infrastructure used by SunBurst to compromise targets and points out another network monitoring solution that may have been compromised.
Summary Roaming Mantis is a Chinese-speaking threat actor group that has been active since at least 2017. The group primarily targets the customers of financial institutions with smishing attacks that deliver the FakeSpy (aka Moqhao) Android trojan, which is designed to steal its victims’ information. From October to November 2020, HYAS Intelligence Services observed a Roaming Mantis campaign targeting a Japanese and Turkish bank that stole the banking credentials of their customers, which were then used in credential stuffing attacks on the banks’ websites. HYAS analysis of the Roaming Mantis campaign revealed extensive abuse of Dynamic DNS (DDNS) services with over 15,000 DNS domains used to host campaign infrastructure from which the actors launched their attacks. Threat Analysis Overview Threat actors frequently abuse Dynamic DNS (DDNS) services and infrastructure for malicious purposes such as distributing malware, command & control (C2) infrastructure, or phishing campaigns. The low cost of DDNS services and the capability they provide threat actors to quickly build, customize, and operationalize domains and C2 infrastructure for campaigns makes them an attractive option. In addition, DDNS services provide threat actors with a cover of anonymity as no publicly available registration information is required compared to traditional domain registration. HYAS Intelligence Services regularly observes threat actor abuse of DDNS services in various campaigns to launch and carry out attacks. This threat report details how the Roaming Mantis threat actor group has targeted financial institutions in Japan and Turkey and provides suggested mitigation measures.
