January 24, 2023
Anomali Threat Research

Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing,</b> and <b>Smishing</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/21xYILPSFOE8Ya2umpJf"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/" target="_blank">Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022</a></h3> <p>(published: January 19, 2023)</p> <p>In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.<br/> <b>Analyst Comment:</b> The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/10004" target="_blank">[MITRE ATT&amp;CK] T1078.001 - Valid Accounts: Default Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10048" target="_blank">[MITRE ATT&amp;CK] T1584 - Compromise Infrastructure</a><br/> <b>Tags:</b> actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html" target="_blank">Hook: a New Ermac Fork with RAT Capabilities</a></h3> <p>(published: January 19, 2023)</p> <p>ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.<br/> <b>Analyst Comment:</b> Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive permissions, etc.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/18609" target="_blank">[MITRE ATT&amp;CK] T1626 - Abuse Elevation Control Mechanism</a> | <a href="https://ui.threatstream.com/attackpattern/18625" target="_blank">[MITRE ATT&amp;CK] T1437.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/17820" target="_blank">[MITRE ATT&amp;CK] T1430 - Location Tracking</a> | <a href="https://ui.threatstream.com/attackpattern/17835" target="_blank">[MITRE ATT&amp;CK] T1516 - Input Injection</a><br/> <b>Tags:</b> detection:Hook, actor:DukeEugene, malware-type:RAT, malware-type:Banking trojan, malware-type:Spyware, Botnet, Device Take-Over, WebSocket, Ermac banking trojan, Cerberus banking trojan, Cryptocurrency, Mobile, Android</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown?hsLang=en-us" target="_blank">Traffic Signals: The VASTFLUX Takedown</a></h3> <p>(published: January 19, 2023)</p> <p>HUMAN researchers have discovered a massive ad fraud operation dubbed VASTFLUX that was targeting applications on iOS. The actors were able to bid on a slot for in-app advertisement and then run up to 25 invisible video ads under it. VASTFLUX peaked in June 2022, with 12 billion bid requests a day, spoofing 1,700 apps and 120 publishers, and running inside apps on nearly 11 million devices. This campaign used JavaScript obfuscation, blocked certain tracking URLs to evade ad verification tags, and overall enjoyed that in-app advertisements on iOS provide less information to verification providers than ads that run on pages visited within a web browser.<br/> <b>Analyst Comment:</b> It took half a year and four rounds of collective mitigations measures to take the VASTFLUX traffic to zero. Users can help monitor for unexpected app behavior such as rapid battery drain and device slow-down. App developers and ad platforms should implement proposed standards for advertising verification and supply chain transparency.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/17807" target="_blank">[MITRE ATT&amp;CK] T1406 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/18625" target="_blank">[MITRE ATT&amp;CK] T1437.001 - Application Layer Protocol: Web Protocols</a><br/> <b>Tags:</b> VASTFLUX, Ad fraud, Malvertising, In-app advertising, App spoofing, Ad stacking, Verification tag evasion, Advertising verification, JavaScript, Digital Video Ad Serving Template, Mobile, iOS</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/playful-taurus/" target="_blank">Chinese Playful Taurus Activity in Iran</a></h3> <p>(published: January 18, 2023)</p> <p>Ke3chang (Playful Taurus, APT15, Vixen Panda, Nickel) is a China-sponsored advanced persistent threat group that has been targeting government and diplomatic entities across Africa, the Middle East, North and South America since 2010. In April-December 2022, a new campaign discovered by Palo Alto researchers, targeted Iranian government entities. The campaign utilized three X509 certificates, two related to pfSense firewalls, and an expired certificate related to Senegal’s Ministry of Foreign Affairs infrastructure. Ke3chang used a new version of their custom Turian backdoor, that received some additional obfuscation and a modified network protocol to include the Security Support Provider Interface.<br/> <b>Analyst Comment:</b> It is important to proactively hunt for Ke3chang infrastructure, as the group continuously adds new domains, IP addresses, and abused certificates. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out Anomali's <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection" target="_blank">Premium Digital Risk Protection</a> service.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10035" target="_blank">[MITRE ATT&amp;CK] T1588.004 - Obtain Capabilities: Digital Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/9944" target="_blank">[MITRE ATT&amp;CK] T1207 - Rogue Domain Controller</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a><br/> <b>Tags:</b> mitre-group:Ke3chang, actor:Playful Taurus, actor:APT15, actor:Vixen Panda, APT, China, source-country:CN, Iran, target-country:IR, detection:Turian, malware-type:Backdoor, VMProtect, file-type:DLL, file-type:EXE, Security Support Provider Interface, pfSense firewalls, Senegal, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/" target="_blank">IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools</a></h3> <p>(published: January 18, 2023)</p> <p>Several malware delivery campaigns were detected abusing legitimate free and open-source software brands on Google Ads. HP researchers have analyzed two major campaigns delivering IcedID and Vidar Stealer, and smaller campaigns delivering Rhadamanthys Stealer and BatLoader. The attackers were using typosquatting and impersonating popular brands such as Adobe, Audacity, Blender, Discord, Fortinet, GIMP, Microsoft Teams, Notepad++, and many others. Advertisements on the search engine were bought for these copied websites. Users were prompted to a download link leading to an infostealer hosted on a file-sharing service.<br/> <b>Analyst Comment:</b> Consider using an ad-blocker service. Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones. Companies can protect their users by proactively monitoring for typosquatting attempts (use Anomali <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection" target="_blank">Premium Digital Risk Protection</a> or similar service).<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a><br/> <b>Tags:</b> detection:IcedID, detection:Vidar Stealer, detection:Rhadamanthys Stealer, detection:BatLoader, malware-type:Infostealer, file-type:EXE, file-type:MSI, file-type:ZIP, Malvertising, Typosquatting, Brand impersonation, Inflated file, Audacity, Blender, Discord, GIMP, Microsoft Teams, Notepad++, 4sync, Telegram, Steam, Windows</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.