Summary

• Roaming Mantis is a Chinese-speaking threat actor group that has been active since at least 2017. The group primarily targets the customers of financial institutions with smishing attacks that deliver the FakeSpy (aka Moqhao) Android trojan, which is designed to steal its victims’ information.
• From October to November 2020, HYAS Intelligence Services observed a Roaming Mantis campaign targeting a Japanese and Turkish bank that stole the banking credentials of their customers, which were then used in credential stuffing attacks on the banks’ websites.   
• HYAS analysis of the Roaming Mantis campaign revealed extensive abuse of Dynamic DNS (DDNS) services with over 15,000 DNS domains used to host campaign infrastructure from which the actors launched their attacks.

Threat Analysis

Overview

Threat actors frequently abuse Dynamic DNS (DDNS) services and infrastructure for malicious purposes such as distributing malware, command & control (C2) infrastructure, or phishing campaigns. The low cost of DDNS services and the capability they provide threat actors to quickly build, customize, and operationalize domains and C2 infrastructure for campaigns makes them an attractive option. In addition, DDNS services provide threat actors with a cover of anonymity as no publicly available registration information is required compared to traditional domain registration. HYAS Intelligence Services regularly observes threat actor abuse of DDNS services in various campaigns to launch and carry out attacks. This threat report details how the Roaming Mantis threat actor group has targeted financial institutions in Japan and Turkey and provides suggested mitigation measures. 

Roaming Mantis campaign abuses DDNS in attacks on banks           

Most recently, in October 2020, HYAS observed the latest campaign from the Roaming Mantis group targeting a Japanese bank and a separate turkish bank. Roaming Mantis is a Chinese-speaking threat actor group that has been active since 2017, and primarily targets the customers of financial institutions with information stealing Android trojans. A review of public sources reveals that the Roaming Mantis campaign predominantly used smishing attacks to distribute its Android malware such as FakeSpy aka MoqHao. HYAS Intelligence Services has observed smishing to be the preferred tactic, technique and procedure (TTP) of  Roaming Mantis, which involves using fraudulent SMS messages to trick victims into clicking on malicious links.

Distribution and Network Infrastructure

HYAS analysis and review of both public and internal sources associated with Roaming Mantis campaigns in October 2020 revealed that the overwhelming number of these incidents involved the abuse of Dynamic DNS (DDNS) services. 

The use of dynamic DNS domains associated with Roaming Mantis campaigns were observed using a random pattern of 10 character domain names such as aamldkkskt.[dynamic DNS domain], and throwaway Gmail accounts to create and register the domains. Notably, HYAS analysis revealed that in both the Japan Net and Finansbank campaigns, the domains were registered and created by IPs in the same CIDR 103.119[.]30.0/24 range. Leveraging HYAS Insight, HYAS Intelligence Services was able to uncover over 15,000 domains in the Roaming Mantis infrastructure and over 500 Gmail addresses. 

With HYAS Insight, the HYAS Intelligence Services team was also able to uncover that the same creator id was used in the campaigns for both Japan Net and Finansbank. It is worth mentioning that not all of the domains HYAS observed were used in the campaign. A possible reason for this is that the actors behind the Roaming Mantis campaign are standing up infrastructure for future attacks, which is behavior that HYAS has observed in other campaign infrastructure.

Infection Vector: Smishing

HYAS assesses with high confidence that smishing, which is the use of SMS messages with malicious links, is the preferred method of FakeSpy’s distribution. The social engineering techniques employed by the actors in this campaign spoofed a delivery notice from a courier company. In this latest campaign, HYAS observed that victims were infected in one or two methods depending on their mobile phone operating system. 

Insert image of SMS message

On Android, when a victim clicks on the malicious link in the SMS, a pop-up window is shown that downloads the MoqHao malware in the form of a fake Google Chrome app. Once the fake app is installed, the malware sends the SMS with malicious links to the victims’ contacts. Next, the victims’ are shown another pop-up window that redirects them to a fake Japan Net website where victims are prompted to enter their banking credentials. 

FakeSpy (aka Moqhao)

HYAS observed the Roaming Mantis campaign abusing a DDNS service to distribute malware known as FakeSpy aka MoqHao. The malware is an Android banking trojan or information stealer that initially surfaced in October 2017 where it was observed targeting South Korean users. Since then, the threat actors behind FakeSpy have leveraged the malware in multiple campaigns known as Roaming Mantis and expanded its targets to include users in Japan, Turkey, China, Taiwan, France, Switzerland, Germany, the UK and the United States. 

FakeSpy’s key features and capabilities include:

• Access and steal the device’s contact list
• Capture and send SMS messages
• Collect device information such as phone number, IMEI, IMSI, networking information, OS version and device model
• Collect account information stored on the device, including data in external storage
• Collect a list of apps installed on the victim’s device
• Anti-analysis capabilities that enables it to detect when it is being run in an emulator
• Disguise itself as a legitimate app
• Exfiltrate data using HTTP requests
• Ability to conceal its malicious code in encrypted asset files and decrypt them at runtime
• Encrypt C2 addresses

HYAS analysis of recent samples of the malicious Android app are called chrome.apk and have been hosted on websites using dynamic DNS. Installation of the chrome.apk requires Android users to click through warnings until seeing the following:

The malware asks for permissions to manage contacts, files, phone, and SMS messages. This suggests that one of the malware’s purposes is to spread via SMS. After installation is complete, the malware uses a plain white circle as the app shortcut icon, probably as a simple way to avoid being noticed by the mobile phone user.

On iOS, when a victim clicks on the malicious link in the SMS, a pop-up window is shown that takes the victim to a phishing site, which then redirects straight to the fake Japan Net website where victims are prompted to enter their banking credentials. 

In both methods, victims’ banking credentials are stolen, which are then used in credential stuffing attacks on the legitimate Japan Net Bank’s website. If there is a high balance in the victim’s banking account, the threat actors steal the funds by transferring them to accounts they control.                

Recommendations

HYAS Intelligence Services recommends the following to mitigate against smishing attacks:

• Users:
  • Educate users on how to identify and not fall victim to smishing attacks. This includes being wary of strange or unfamiliar numbers, not clicking on links in text messages, not giving out personal information such as account details or financial details via text message, and not replying directly to a text message.
• Organizations:
  • Implement or reaffirm policies requiring users to only download apps from official mobile app stores and avoid untrusted apps.
  • Establish or maintain a public-facing fraud/abuse reporting process to gain early visibility into threat actor campaigns.
  • Consider using network security/DNS solutions like HYAS Protect to preemptively block potentially malicious domains.