FBI warns of fake cryptocurrency apps used to defraud investors
Dropping XLoader. In a report published today, researchers at cybersecurity company SEKOIA say that the Roaming Mantis group is now dropping on Android devices the XLoader (MoqHao) payload, a powerful malware that counts features such as remote access, information stealing, and SMS spamming. The ongoing Roaming Mantis campaign is targeting French users and starts with an SMS sent to prospective victims, urging them to follow a URL.
Following attacks on users of Android and iOS in Germany, Taiwan, South Korea, Japan, the US, and the UK, the Roaming Mantis operation turned its attention to France, possibly compromising tens of thousands of devices. It is thought that Roaming Mantis is a financially driven threat actor that began concentrating on European consumers in February. In a recent effort, the threat actor lured consumers into downloading malware on their Android devices using SMS communication. The potential victim is forwarded to a phishing page seeking Apple credentials if they are an iOS user.
The command and control (C2) configuration is retrieved from hardcoded Imgur profile destinations which are encoded in base64 to evade detection. Decrypting the string to derive the final IP address. Decrypting the string to derive the final IP address (SEKOIA). SEKOIA confirmed that over 90,000 unique IP addresses have requested XLoader from the main C2 server so far, so the victim pool might be significant.
The text message informs about a package that has been sent to them and which they need to review and arrange its delivery. If the user is located in France and are using an iOS device, they are directed to a phishing page that steals Apple credentials. Android users are pointed to a site that delivers the installation file for a mobile app, (an Android Package Kit – APK). The APK executes and mimics a Chrome installation, requesting risky permissions such as SMS interception, making phone calls, reading and writing storage, handling system alerts, getting accounts list, and more.
The number of iOS users who have handed over their Apple iCloud credentials on the Roaming Mantis phishing page is unknown and could be the same or even higher. Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives.