"Roaming Mantis Uses New DNS Changer in Its Wroba Mobile Malware"

Researchers spotted Roaming Mantis threat actors using an updated version of their mobile malware called Wroba to attack Wi-Fi routers and take control of Domain Name System (DNS) settings. In March 2018, Roaming Mantis emerged, hacking routers in Japan to redirect users to malicious websites. Roaming Mantis is a credential theft and malware operation that distributes malicious Android apps in APK file format via smishing. The attack targeted users in Asia with fake websites. The majority of affected users were located in Bangladesh, Japan, and South Korea. Over the years, the threat actors have targeted users in Russia, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, Vietnam, and Europe. In September 2022, researchers examined the new variant of Wroba and determined that it was customized to target certain Wi-Fi routers in South Korea. Roaming Mantis threat actors can control all communications from devices using a compromised Wi-Fi network by using the new DNS changer functions. An attacker can manipulate security product updates and redirect users to malicious websites. This article continues to discuss the Roaming Mantis threat actors using a new variant of their mobile malware Wroba to hijack DNS settings of Wi-Fi routers. 

Security Affairs reports "Roaming Mantis Uses New DNS Changer in Its Wroba Mobile Malware"