Jump to content
Login new information ×
Login new information

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials.

 

https://s7d5.turboimg.net/sp/d53e8e82a3dd253cc13f7f627ede1492/apple-bits.jpg

 

Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.

 

https://s7d1.turboimg.net/sp/9c574c896074eff1f0b56b1f56d77d9b/mining-page-cpu.png

Blank page utilizing Coinhive

 

This is caused by the page utilizing the Coinhive mining script shown below.

https://s7d4.turboimg.net/sp/8d7bee70446084ffc5610e88fa2f57a6/coinhive-script.png

Coinhive Mining Script

 

 

The day after the GReAT discovered this new page, the attackers reverted back to redirecting to the Apple phishing page, so this appears to be a test that is not ready for full release.

Limited hacking of Japanese devices

After Japanese researchers started releasing reports regarding Roaming Mantis, the group is making an effort to avoid hacking Japanese devices.

 

On landing pages that users were redirected to, Kaspersky noticed that there was JavaScript that checked if the device's language was set to "ja" or Japanese. If the ja language was detected, the page would not offer any malicious applications or redirects to the visitor.

 

https://s7d8.turboimg.net/sp/39792109d28fa8dc85a61cd6519edaa7/check-for-japanese-visitor.png

Checking for Japanese Browser Language

 

 

Spreading via scam adverts on Prezi.com

This group appears to also be taking a page out of the Adware handbook by promoting scam sites for adult videos, games, music, and downloads.

These scam sites are being promoted through Prezi.com, a presentation sharing site, where the group would create page that contain links to URLS at https://tinyurl.com. When a visitor goes to these urls, though, they will be redirected to various scam sites as shown below.

 

https://s7d5.turboimg.net/sp/d68e4174556d771a10bf516bf11ba5b8/prezi-ads.png

Prezi.com Ads

 

 

Protecting your devices

To protect yourself from attacks like this, make sure that your routers are upgraded to the latest firmware so that any vulnerabilities are patched.  Kaspersky also suggests that Android users turn off the ability to install app from third-party sites.

 

"We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe," stated Kaspersky's research. "They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action."

 

Source

 

Link to comment
Share on other sites
  • Views 439
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...