Threat actors frequently abuse Dynamic DNS (DDNS) services and infrastructure for malicious purposes such as distributing malware, command & control (C2) infrastructure, or phishing campaigns. The low cost of DDNS services and the capability they provide threat actors to quickly build, customize, and operationalize domains and C2 infrastructure for campaigns makes them an attractive option. In addition, DDNS services provide threat actors with a cover of anonymity as no publicly available registration information is required compared to traditional domain registration. HYAS Intelligence Services regularly observes threat actor abuse of DDNS services in various campaigns to launch and carry out attacks. This threat report details how the Roaming Mantis threat actor group has targeted financial institutions in Japan and Turkey and provides suggested mitigation measures.
Most recently, in October 2020, HYAS observed the latest campaign from the Roaming Mantis group targeting a Japanese bank and a separate turkish bank. Roaming Mantis is a Chinese-speaking threat actor group that has been active since 2017, and primarily targets the customers of financial institutions with information stealing Android trojans. A review of public sources reveals that the Roaming Mantis campaign predominantly used smishing attacks to distribute its Android malware such as FakeSpy aka MoqHao. HYAS Intelligence Services has observed smishing to be the preferred tactic, technique and procedure (TTP) of Roaming Mantis, which involves using fraudulent SMS messages to trick victims into clicking on malicious links.
HYAS analysis and review of both public and internal sources associated with Roaming Mantis campaigns in October 2020 revealed that the overwhelming number of these incidents involved the abuse of Dynamic DNS (DDNS) services.
The use of dynamic DNS domains associated with Roaming Mantis campaigns were observed using a random pattern of 10 character domain names such as aamldkkskt.[dynamic DNS domain], and throwaway Gmail accounts to create and register the domains. Notably, HYAS analysis revealed that in both the Japan Net and Finansbank campaigns, the domains were registered and created by IPs in the same CIDR 103.119[.]30.0/24 range. Leveraging HYAS Insight, HYAS Intelligence Services was able to uncover over 15,000 domains in the Roaming Mantis infrastructure and over 500 Gmail addresses.
With HYAS Insight, the HYAS Intelligence Services team was also able to uncover that the same creator id was used in the campaigns for both Japan Net and Finansbank. It is worth mentioning that not all of the domains HYAS observed were used in the campaign. A possible reason for this is that the actors behind the Roaming Mantis campaign are standing up infrastructure for future attacks, which is behavior that HYAS has observed in other campaign infrastructure.
HYAS assesses with high confidence that smishing, which is the use of SMS messages with malicious links, is the preferred method of FakeSpy’s distribution. The social engineering techniques employed by the actors in this campaign spoofed a delivery notice from a courier company. In this latest campaign, HYAS observed that victims were infected in one or two methods depending on their mobile phone operating system.
On Android, when a victim clicks on the malicious link in the SMS, a pop-up window is shown that downloads the MoqHao malware in the form of a fake Google Chrome app. Once the fake app is installed, the malware sends the SMS with malicious links to the victims’ contacts. Next, the victims’ are shown another pop-up window that redirects them to a fake Japan Net website where victims are prompted to enter their banking credentials.
HYAS observed the Roaming Mantis campaign abusing a DDNS service to distribute malware known as FakeSpy aka MoqHao. The malware is an Android banking trojan or information stealer that initially surfaced in October 2017 where it was observed targeting South Korean users. Since then, the threat actors behind FakeSpy have leveraged the malware in multiple campaigns known as Roaming Mantis and expanded its targets to include users in Japan, Turkey, China, Taiwan, France, Switzerland, Germany, the UK and the United States.
FakeSpy’s key features and capabilities include:
HYAS analysis of recent samples of the malicious Android app are called chrome.apk and have been hosted on websites using dynamic DNS. Installation of the chrome.apk requires Android users to click through warnings until seeing the following:
The malware asks for permissions to manage contacts, files, phone, and SMS messages. This suggests that one of the malware’s purposes is to spread via SMS. After installation is complete, the malware uses a plain white circle as the app shortcut icon, probably as a simple way to avoid being noticed by the mobile phone user.
On iOS, when a victim clicks on the malicious link in the SMS, a pop-up window is shown that takes the victim to a phishing site, which then redirects straight to the fake Japan Net website where victims are prompted to enter their banking credentials.
In both methods, victims’ banking credentials are stolen, which are then used in credential stuffing attacks on the legitimate Japan Net Bank’s website. If there is a high balance in the victim’s banking account, the threat actors steal the funds by transferring them to accounts they control.
HYAS Intelligence Services recommends the following to mitigate against smishing attacks: