{
	"id": "0e3d21a8-3a91-48c5-8864-5043ed2a5a46",
	"created_at": "2026-04-06T00:22:20.189581Z",
	"updated_at": "2026-04-10T03:34:59.375465Z",
	"deleted_at": null,
	"sha1_hash": "084fabe6f6bb41cd07b3df61f389c6720b765a18",
	"title": "Roaming Mantis, part V",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1736683,
	"plain_text": "Roaming Mantis, part V\r\nBy Suguru Ishimaru\r\nPublished: 2020-02-27 · Archived: 2026-04-05 20:15:51 UTC\r\nKaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and\r\nnew targets continuously added in order to steal more funds. The attackers’ focus has also shifted to techniques\r\nthat avoid tracking and research: allowlist for distribution, analysis environment detection and so on. We’ve also\r\nobserved new malware families: Fakecop (also known as SpyAgent by McAfee) and Wroba.j (also known as\r\nFunkybot by Fortinet).\r\nDistribution of Wroba.g via SMiShing with impersonated brands\r\nIn 2018, the group added a distribution method for Wroba.g (aliases: Moqhao and XLoader), in addition to the\r\noriginal method of DNS hijacking. It was SMiShing using a spoofed delivery notice from a logistics company. In\r\n2019, we confirmed another new method where a downloaded malicious APK file has an icon that impersonates a\r\nmajor courier company brand. The spoofed brand icon is customized for the country it targets, for example,\r\nSagawa Express for Japan; Yamato Transport and FedEx for Taiwan; CJ Logistics for South Korea and Econt\r\nExpress for Russia.\r\nExamples of SMiShing with Android malware icons impersonating brands\r\nIn February 2020, the attacker modified a SMiShing message from a spoofed absence notification to “delivering\r\nfree masks for the coronavirus issue” in Japan, according to a warning by Japan Cybercrime Control Center (JC3).\r\nThis once again shows that criminals always make use of hot topics in their activities.\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 1 of 7\n\nAllowlist feature of Wroba.g landing page for Korea only\r\nThe Roaming Mantis actor also employed a new feature in their Wroba.g landing page – currently only on the\r\nKorean page. It’s a allowlist feature to evade security researchers. When a user visits the landing page, they have\r\nto enter their phone number for confirmation. If the phone number is on the allowlist, the landing page distributes\r\na malicious app.apk:\r\nThe fake CJ Logistics landing page includes an allowlist\r\nThe actor has a habit of trying out their new methods in Korean first. It means the method described above may be\r\napplied later on landing pages in other languages as well. If that happens, it would make it almost impossible for\r\nresearchers to obtain a sample, because it would require a specific phone number in the actor’s allowlist database.\r\nMultidex obfuscation trick in a loader module of Wroba.g\r\nA single Dalvik Executable (DEX) has a 64K reference limit. As a workaround, a configuration of Mutidex allows\r\nthe application to build and read multiple DEX files. In 2019, the actor used Multidex in an APK file to hide a\r\nmalicious loader module as an obfuscation trick. Our analysis shows that it has been modified little by little:\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 2 of 7\n\nTransition of obfuscation using Multidex\r\nThe classes${num}.dex marked with a red square is the actual malicious loader module. All the other DEX files\r\nare simply junk code. However, the encrypted payload of Wroba.g is still under the assets directory and can be\r\ndecrypted by the simple python script described in our previous blogpost.\r\nWroba.g is targeting carrier billing and online banks in Japan\r\nThe actor has a strong financial motivation. They are targeting carrier billing and online bank accounts. They have\r\nimplemented redirection to phishing sites to steal credentials in the decrypted payload of Wroba.g:\r\nHardcoded pkg name, URL of pinterest.com and pop-up message\r\nWhen the malware detects a specific package of a Japanese online bank or specific mobile carriers on the infected\r\ndevice, it connects in the background to a hardcoded malicious account of pinterest.com to fetch a phishing site\r\nwith an alert message. The message claims that it has blocked unauthorized access from a third party and asks the\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 3 of 7\n\nuser to click on a button to confirm they want to proceed. If the user clicks the button, they will be redirected to a\r\nphishing site:\r\nRedirecting to a phishing site via malicious account on pinterest.com\r\nThe targeted packages for online banks and mobile carriers correspond to the relevant accounts on pinterest.com\r\nthat lead to phishing sites:\r\nPkgs or mobile carrier\r\nAccounts on\r\npinterest.com\r\nPhishing site in\r\nDec 2019\r\nPhishing site in\r\nJan 2020\r\njp.co.japannetbank.smtapp.balance nor**********\r\njnb.jp-bankq[.]com\r\nN/A\r\njp.co.jibunbank.jibunmain abi********\r\njibun.jp-bankq[.]com\r\nN/A\r\njp.co.netbk.smartkey.SSNBSmartkey sin*************\r\nsbi.jp-bankq[.]com\r\nN/A\r\njp.co.rakuten_bank.rakutenbank kel***************\r\nrakuten.jp-bankq[.]com\r\nN/A\r\njp.co.sevenbank.AppPassbook gh6******\r\nseven.jp-bankq[.]com\r\nN/A\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 4 of 7\n\njp.co.smbc.direct eme*************\r\nsmbc.jp-bankq[.]comsmbc.bk-securityo[.]com\r\njp.japanpost.jp_bank.FIDOapp fel***************\r\njppost.jp-bankq[.]com\r\nN/A\r\njp.mufg.bk.applisp.app sho*************\r\nmufg.jp-bankq[.]com\r\nN/A\r\nDocomo ami***********\r\nnttdocomo-uh[.]comnttdocomo-xm[.]com\r\nau pos*********** au-ul[.]com au-xm[.]com\r\nSoftbank ash************ epos-ua[.]com N/A\r\nAs can be seen in the table above, all the accounts have corresponding phishing sites as of December 2019 (data\r\nprovided by @ninoseki on Twitter). These destination URLs are continuously changed by the attackers. In January\r\n2020, only three of these accounts were enabled for some reason. However, as it’s easy for the criminals to modify\r\nthe phishing page address, apps without corresponding phishing sites are also likely to be attacked again in the\r\nnear future.\r\nWroba.j and Fakecop discovered in 2019\r\nRoaming Mantis has been using Wroba.g and Wroba.f as its main Android malware. In April 2019, we observed\r\ntwo more malware families, Wroba.j and Fakecop. These two malware families have some similarities with the\r\nother families in terms of infrastructure, distribution channel, etc. We have created some slides, Roaming Mantis:\r\nA melting pot of Android bots in Botconf2019, showing the timeline, impersonated brands, malware features and\r\nmoney laundering method.\r\nBased on our telemetry data, detection rates of both malicious programs were very low. We believe that this was a\r\ntest by the attacker. However, the most alarming thing we discovered was the following SMS spamming function\r\nin Wroba.j:\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 5 of 7\n\nGenerating feedback for SMS spamming results\r\nThe function automatically creates a sophisticated list of phone numbers from the feedback for SMS spamming\r\nresults. This malware also has another function that checks the International Mobile Subscriber Identifier (IMSI)\r\nto identify mobile carriers in Japan and add the phone number to a relevant spamming list.\r\nChecking the IMSI of mobile carrier Docomo\r\nAccording to the hardcoded IMSIs and strings shown below, the attacker seems to be targeting Docomo and\r\nSoftbank mobile carriers.\r\nIMSI of Docomo:\r\n44001 4401 44058\r\n44002 4402 4406\r\n44003 4403 44087\r\n44009 44049 44099\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 6 of 7\n\nIMSI of Softbank:\r\nConclusion\r\nThe Roaming Mantis actor is strongly motivated by financial gain and is eager to evade tracking by researchers. It\r\nis now employing yet another method – allowlisting – to achieve this. This new method is currently only being\r\napplied for Korean pages, but it’s only a matter of time before it’s implemented for other languages.\r\nThe actor is still very active in using SMiShing for Android malware distribution. This is particularly alarming,\r\nbecause it means all infected mobile devices could form a botnet for malware delivery, SMiShing, and so on. ISPs,\r\ntogether with security companies, need to keep a close eye on the Roaming Mantis campaign to understand how to\r\ncombat it.\r\nFurther reading\r\nFurther information about the Fakecop and Wroba.j families has also appeared in the following blogs published by\r\nMcAfee and Fortinet respectively:\r\nMoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play\r\nFunkyBot: A New Android Malware Family Targeting Japan\r\nThese blogposts provide some interesting updates on Roaming Mantis activities during 2019.\r\nExample of md5 hashes for each APK\r\ne6ae4277418323810505c28d2b6b3647 Wroba.g\r\n939770e5a14129740dc57c440afbf558 Wroba.f\r\n521312a8b5a76519f9237ec500afd534 Wroba.j\r\n6d29caaa8b30cc8b454e74a75d33c902 Fakecop\r\nSource: https://securelist.com/roaming-mantis-part-v/96250/\r\nhttps://securelist.com/roaming-mantis-part-v/96250/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/roaming-mantis-part-v/96250/"
	],
	"report_names": [
		"96250"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/084fabe6f6bb41cd07b3df61f389c6720b765a18.pdf",
		"text": "https://archive.orkl.eu/084fabe6f6bb41cd07b3df61f389c6720b765a18.txt",
		"img": "https://archive.orkl.eu/084fabe6f6bb41cd07b3df61f389c6720b765a18.jpg"
	}
}