Originally posted on April 1st, 2020
Let’s go threat hunting in Censys! In this case, we’re hunting for RoamingMantis, a mobile banking threat that affects users by altering local DNS settings for further endpoint abuse. DNS Changer malware isn’t new, but RoamingMantis is a new delivery vehicle.
Via a tweet from a Japanese researcher @ninoseki, I started by looking at the C2 and looking for signs of something unique there. Nothing much doing there, pretty Spartan and all. Searching for a few unique tidbits in Censys yields nothing.
When we look at that IP in Censys, however, we see something unique about the page. At a glance it looks like the USPS – US Postal Service – site, but then you come across this JavaScript snippet.
Bingo – it fingerprints the device via the user-agent string and looks for a mobile device. If it finds one it attempts to load an APK.
When we search for that string – the one that loads the “post.apk” file – we find a few hosts, including our original 216.198.66.107 host. Using a third-party site for passive DNs history we can also see what URLs and domain names have resolved to those IP addresses.
The AlienVault OTX site – a community driven threat intelligence platform – has some great details on those IPs, including names and URLs:
And like that we can augment threat intel reports by doing some recon and investigation on our end, and then using search engines like Censys and others to supplement our insights and create our own threat intelligence.
Additional references:
- Roaming Mantis, part V, SecureList 27 Feb 2020
- Roaming Mantis from New Jersey Cyber
- Hundreds Targeted in Recent Roaming Mantis Campaign from SecurityWeek
- Roaming Mantis Swarms Globally, Spawning iOS Phishing, Cryptomining from ThreatPost
- Meet the Roaming Mantis, the world’s most pervasive smartphone malware threat from BW World Online
- ‘Roaming Mantis’ Android Malware Evolves, Expands Targets from Dark Reading
- Roaming Mantis malicious redirection campaign preys on Android, iOS and PC users from SC Magazine