Kaspersky researchers noted an updated Wroba malware being delivered by the Roaming Mantis threat actors in a new campaign that can exploit targets with DNS hijacking.
Aiming to redirect users to fake landing pages for further exploitation, the campaign is seen expanding out of South Korea to several nations in Europe for the first time in years.
Expansion of Malware Campaign
Kaspersky researchers detailed a new campaign coming from the threat actors of the Roaming Mantis group, where an updated Wroba malware is being distributed to several European countries lately.
The campaign starts with either smishing or DNS poisoning the WiFi routers of the target to redirect him to a phishing website that carries the actual payload for future exploitation. The patented malware – Wroba, can be delivered either through such fake websites or apps, say researchers.
Wroba – also known as MoqHao and XLoader – is a malware that can suck the financial information of the target for threat actors and has been previously used mostly in South Korea. Now, researchers noted that makers of this malware are expanding to several European countries – for the first time since its inception.
They have noted this malware being spread via smishing in Austria, France, Germany, India, Japan, Malaysia, Taiwan, Turkey, and the U.S. in recent times. Wroba effectively contains a DNS changer function that can detect certain routers based on their model numbers and poison their DNS settings.
Further, this exploitation is not only limited to the victim but also to others who he may connect with digitally in any terms. Researchers noted that “Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable”.