### Roaming Mantis: #### an Anatomy of a DNS Hijacking Campaign ###### Suguru Ishimaru Manabu Niseki Hiroaki Ogawa GReAT APAC NTT-CERT Professional Service Kaspersky Lab NTT SC Labs McAfee ----- ##### ContentsRoaming Mantis ###### 1. Introduction 2. What is Roaming Mantis 3. MoqHao and SMShing 4. Attribution 5. Conclusions ----- ## $ whoami ###### Introduction of ourselves ----- ##### Who are we..? Suguru Ishimaru Manabu Niseki ###### GReAT APAC NTT-CERT ##### Hiroaki Ogawa ###### Professional Service ----- ## $ man roamingmantis ###### What is Roaming Mantis ----- ##### What is Roaming Mantis? ###### • Cyber criminal campaign • Compromised routers • Targeted multi platform and multiple language • Started since early 2018 ###### Multilingual Malicious APK Phishing site Web mining ###### Malicious APK ----- ##### What is Roaming Mantis? ###### Compromised router Roaming Bugdroid’s color Mistakes (BUG) Mantis ----- ``` 少爺 ##### Roaming Mantis aka (Shaoye) ###### • 57東森財經新聞台: 「少爺殭屍」網路擴散!全球百萬筆個資遭竊 (2018/06/07) • https://www.youtube.com/watch?v=NEVMxhXG2lE • TWNCERT: Shaoye Botnet Affecting Network Devices in Asia-Pacific (2018/06/14) • https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=en&RSSType=news&seq=16111 TWNCERT says: • At least 6,000 mobile devices are infected with malicious apps, leaking more than 1 million pieces of personal information. • The infection spreads to 55 countries in the world and South Korea being the main target has a victim rate of 75% ``` ----- ##### Compromised routers ----- ##### Compromised routers ----- ##### Rogue DNS servers |Col1|A|B|C|D| |---|---|---|---|---| |Primary|1.53.252.215 (Vietnam)|171.244.3.110 (Vietnam)|118.30.28.38 (China)|42.112.35.45 (Vietnam)| |Secondary|1.53.252.164 (Vietnam)|171.244.3.111 (Vietnam)|118.30.28.39 (China)|42.112.35.55 (Vietnam)| ----- ##### Korea is the first priority target ###### 168.126.63.1 (Korea Telecom / Korea) 203.248.252.2 (LG DACOM Corporation / Korea) 219.250.36.130 (SK Broadband Co Ltd / Korea) ###### Note: they are legitimate DNS servers in Korea ----- ##### DNS changer ###### • My handmade honeypot (which impersonates a Korean router) observed a DNS changer payload via 205.209.174.238. • Roaming Mantis DNS changer takes 2 steps. 1. Taking a fingerprint of a target. ----- ##### JS DNS changer ###### The router’s DNS setting is potentially compromised if the device reads the URL query of the DNS changer from localnet under a router with the following conditions: • No authentication for router panel from localnet • The device has an admin session for the router panel • Simple ID and password (or default) for router panel like admin:admin / user:user ----- ##### KSN data for detection of rogue DNS (1 – 19 Aug 2019) ###### 98,000+ detections based on KSN data. 1. Russia 2. India 3. Vietnam 4. Bangladesh 5. Japan 6. Kazakhstan 7. Indonesia 8. Pakistan 9. Taiwan ----- ##### Landing page ----- ##### Using Taiwanese hosts as landing pages ###### • HiNet: • 1.171.153.177, 1.171.154.9, 1.171.156.75 • 1.171.158.91, 1.171.169.160, 1.171.169.201 • 1.171.171.34, 1.171.174.228, 1.171.175.167 • Etc. • SEEDNET: • 175.181.255.52 • 112.104.27.225, 112.104.26.33 ----- ##### Targeted multi platform ###### Malicious APK file(MoqHao) Phishing Mining ###### Phishing ----- ##### Accessing a landing page with iOS ----- ##### Accessing a landing page with Android ----- ## $ file moqhao.apk ###### MoqHao and SMShing ----- ##### MoqHao via SMShing ###### • MoqHao (alias: Shaoye and XLoader) is spreading via SMShing which impersonates Japanese logistics brands in Japan. ----- ##### Spreading chain ###### • An infected Android device sends a SMS with a bit.ly link. ###### • ----- ##### Phishing website in Japan ###### iOS ###### Android ###### k(M H ) ----- ##### In July 2019, new target is … ----- ``` 黑貓宅急便 ##### is targeted in Taiwan ###### • Since early July 2019, MoqHao SMShing is started targeting 黑貓宅急便 in Taiwan. ``` ----- ``` 黑貓宅急便 ##### landing page ``` ###### Apple phishing ----- ##### Phishing website in Taiwan ###### iOS ###### Android ###### smartcat apk(MoqHao) ----- ##### Android malware MoqHao (smartcat.apk) ###### MoqHao contains encrypted payload executed by loader module: ###### Loader module Encrypted payload ----- ##### Android malware MoqHao ###### MoqHao payload module is a backdoor. 20[th] backdoor commands 4,000+ stolen info 1. sendSms 12. showHome 2. setWifi 13. getnpki • IP 3. gcont 14. http • Language 4. lock 15. onRecordAction • ID (email) 5. bc 16. call • Password 6. setForward 17. get_apps • Name 7. getForward 18. show_fs_float_ • Address 8. hasPkg window • 9. setRingerMode 19. Ping • 10. setRecEnable 20. getPhoneState • Bank info ###### • IP • Language • ID (email) • Password • Name • Address • Credit card info • Tow factor auth • Bank info ----- ##### Improving crypto algorithm of loader module ###### Skip 4bytes + Zlib + Base64 ###### Base64 ###### import sys Base64import zlib Zlib Skip 4bytes DES +import base64+ + Key “xieurjke” Zlib Base64 Zlib + data = open(sys.argv[1], "rb").read() + ZIP dec_z = zlib.decompress(data[4:]) Base64 dec_b = base64.b64decode(dec_z) ----- ##### Wrong design (vulnerability?) in old versions ###### Read email subject and decrypt real C2 destination Wrong design If someone send a Email to there…? ----- ##### Fixed wrong design in 2019 ###### #!/usr/bin/env python xor + sub Base64 + DES(EBC) from Crypto.Cipher import DES import sys import base64 enc = base64.urlsafe_b64decode(sys.argv[1]) key = b"Ab5d1Q32" des = DES.new(key,2,key) dec = des.decrypt(enc) print(dec) ###### Crypto Algorithm Apr 2019 Base64.urlsafe + DES (CBC) ###### import sys key = b" Fixed ----- ## $ whois ###### Attribution ----- ##### The goal of the attacker ###### Of course… Get the money! ----- ##### Creating account from stolen information |Col1|Col2| |---|---| ###### the C2 ###### Billing ----- ##### Stealing authentication code ###### EC Sites/Payment Service SMS Carrier Billing ----- ##### Abusing stolen information ----- ##### Money earning and money laundering technique ###### By money launderer (Money mule phase) Shopping EC sites with payment Stolen credit service card Stolen credit card Nikkei 2019/6/6 ----- ##### How to recruit a money Launderer ###### “If you have an iPhone, there is a job. Get rewards just by purchasing a game item! No cost at all.” ----- ## $ shutdown –h now ###### Conclusions ----- ##### Conclusions ###### THE ROAMING MANTIS Targets Taiwan via SMShing Is rapidly improving Has strong financial motivationRoaming Mantis ----- ##### Example of IoCs ###### Malicious smartcat.apk Type A (MoqHao/XLoader) and its modules c2dea0e63bd58062824fd960c6ff5d10 APK file 720c9528f2bb436fa3ca2196af718332 APK file 11ab174bf1dbac0418a14853bae5f1ae ¥classes.dex 95aa090211fd06bbd2d2c310d0742371 ¥classes.dex 2275e5b5186fdfddd64cbb653cc7c5e2 ¥assets¥?¥????? (Encrypted payload) 14eb70a63a16612ec929b552fced6190 ¥assets¥?¥????? (Encrypted payload) 710b672224653ad7e31bd081031928b4 Decrypted payload(.dex) 7d41ef4c8e39d4dd8ca937d23521254aDecrypted payload(.dex) Suspicious hardcoded accounts id538254835 m.vk.com id538255725 m.vk.com id538256404 m.vk.com 09261074305103529133 blogger com ----- ##### References security-intelligence/a-look-into-the###### connection-between-xloader-and-fakespy- and-their-possible-ties-with-the-yanbian- gang/ 2. https://securelist.com/roaming-mantis- uses-dns-hijacking-to-infect-android- smartphones/85178/ 3. https://securelist.com/roaming-mantis- dabbles-in-mining-and-phishing- multilingually/85607/ 4. https://securelist.com/roaming-mantis- part-3/88071/ 5. https://securelist.com/roaming-mantis- part-iv/90332/ 6. https://securingtomorrow.mcafee.com/ other-blogs/mcafee-labs/moqhao l t d d id t ti ----- # Let’s Talk? ###### Suguru Ishimaru Manabu Niseki GReAT APAC NTT-CERT Kaspersky Lab NTT SC Labs Hiroaki Ogawa -----