Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa...
Transcript of Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa...
![Page 1: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/1.jpg)
Roaming Mantis:an Anatomy of a DNS Hijacking Campaign
Suguru IshimaruGReAT APAC
Kaspersky Lab
Manabu NisekiNTT-CERT
NTT SC Labs
Hiroaki OgawaProfessional Service
McAfee
![Page 2: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/2.jpg)
2
Contents
1. Introduction
2. What is Roaming Mantis
3. MoqHao and SMShing
4. Attribution
5. Conclusions
HITCON CMT 2019
![Page 3: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/3.jpg)
$ whoami
Introduction of ourselves
![Page 4: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/4.jpg)
Who are we..?
4HITCON CMT 2019
Manabu NisekiNTT-CERT
NTT SC Labs
Suguru IshimaruGReAT APAC
Kaspersky Labs
Hiroaki OgawaProfessional Service
McAfee
![Page 5: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/5.jpg)
$ man roamingmantis
What is Roaming Mantis
![Page 6: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/6.jpg)
Phishing site
Web mining
Malicious APKMultilingual
6HITCON CMT 2019
What is Roaming Mantis?
• Cyber criminal campaign
• Compromised routers
• Targeted multi platform and
multiple language
• Started since early 2018
![Page 7: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/7.jpg)
7HITCON CMT 2019
What is Roaming Mantis?
Compromised router
Roaming
Bugdroid’s color
Mistakes (BUG)
Mantis
![Page 8: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/8.jpg)
Roaming Mantis aka 少爺(Shaoye)
8
• 57東森財經新聞台: 「少爺殭屍」網路擴散!全球百萬筆個資遭竊 (2018/06/07)
• https://www.youtube.com/watch?v=NEVMxhXG2lE
• TWNCERT: Shaoye Botnet Affecting Network Devices in Asia-Pacific (2018/06/14)
• https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=en&RSSType=news&seq=16111
TWNCERT says:
• At least 6,000 mobile devices are infected with malicious apps, leaking more than 1 million pieces of personal information.
• The infection spreads to 55 countries in the world and South Korea being the main target has a victim rate of 75%.
![Page 9: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/9.jpg)
Compromised routers
9HITCON CMT 2019
![Page 10: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/10.jpg)
Compromised routers
10HITCON CMT 2019
![Page 11: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/11.jpg)
Rogue DNS servers
11
A B C D
Primary 1.53.252.215
(Vietnam)
171.244.3.110
(Vietnam)
118.30.28.38
(China)
42.112.35.45
(Vietnam)
Secondary 1.53.252.164
(Vietnam)
171.244.3.111
(Vietnam)
118.30.28.39
(China)
42.112.35.55
(Vietnam)
![Page 12: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/12.jpg)
Korea is the first priority target
12
168.126.63.1 (Korea Telecom / Korea)203.248.252.2 (LG DACOM Corporation / Korea)219.250.36.130 (SK Broadband Co Ltd / Korea)
Note: they are legitimate DNS servers in Korea
![Page 13: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/13.jpg)
DNS changer
13HITCON CMT 2019
• My handmade honeypot (which impersonates a Korean router) observed a DNS changer payload via 205.209.174.238.
• Roaming Mantis DNS changer takes 2 steps.
1. Taking a fingerprint of a target.
2. Sending an attack payload based on the fingerprint.
![Page 14: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/14.jpg)
JS DNS changer
14HITCON CMT 2019
The router’s DNS setting is potentially compromised if the device reads the URL query of the DNS changer from localnet under a router with the following conditions:
• No authentication for router panel from localnet
• The device has an admin session for the router panel
• Simple ID and password (or default) for router panel like admin:admin / user:user
![Page 15: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/15.jpg)
KSN data for detection of rogue DNS (1 – 19 Aug 2019)
15HITCON CMT 2019
98,000+ detections based on KSN data.
1. Russia
2. India
3. Vietnam
4. Bangladesh
5. Japan
6. Kazakhstan
7. Indonesia
8. Pakistan
9. Taiwan
10. Iran
![Page 16: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/16.jpg)
Landing page
16HITCON CMT 2019
![Page 17: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/17.jpg)
Using Taiwanese hosts as landing pages
17
• HiNet:
• 1.171.153.177, 1.171.154.9, 1.171.156.75
• 1.171.158.91, 1.171.169.160, 1.171.169.201
• 1.171.171.34, 1.171.174.228, 1.171.175.167
• Etc.
• SEEDNET:
• 175.181.255.52
• 112.104.27.225, 112.104.26.33
• Etc. HITCON CMT 2019
![Page 18: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/18.jpg)
18HITCON CMT 2019
Targeted multi-platform
Malicious APK file(MoqHao)
Phishing
Mining
![Page 19: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/19.jpg)
HITCON CMT 2019
Accessing a landing page with iOS
19
![Page 20: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/20.jpg)
Accessing a landing page with Android
20
Infection with an Android malware MoqHao(chrome1.0.7.apk)HITCON CMT 2019
![Page 21: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/21.jpg)
$ file moqhao.apk
MoqHao and SMShing
![Page 22: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/22.jpg)
MoqHao via SMShing
• MoqHao (alias: Shaoye and XLoader) is spreading via SMShing which impersonates Japanese logistics brands in Japan.
HITCON CMT 2019 (source: https://asia.nikkei.com/Business/Japan-s-Sagawa-chasing-drivers-with-4-day-workweek
https://asia.nikkei.com/Business/Yamato-Transport-No.-1-in-Japan-brand-survey)
![Page 23: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/23.jpg)
Spreading chain
23HITCON CMT 2019
• An infected Android device sends a SMS with a bit.ly link.
• The bit.ly link is a link to a Tumblr blog.
• The Tumblr blog redirects a user to a landing page.
![Page 24: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/24.jpg)
Phishing website in Japan
24
sagawa.apk(MoqHao)
iOS
Android
HITCON CMT 2019
![Page 25: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/25.jpg)
HITCON CMT 2019
In July 2019, new target is …
25(source: https://www.motive.com.tw/?p=18207)
![Page 26: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/26.jpg)
黑貓宅急便 is targeted in Taiwan
26
• Since early July 2019, MoqHao SMShing is started targeting 黑貓宅急便 in Taiwan.
HITCON CMT 2019
(source: https://www.youtube.com/watch?v=0QKrDFua7Dc)
![Page 27: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/27.jpg)
黑貓宅急便 landing page
27smartcat.apk (MoqHao/Shaoye)
Apple phishing
HITCON CMT 2019
![Page 28: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/28.jpg)
Phishing website in Taiwan
28
smartcat.apk(MoqHao)
iOS
Android
HITCON CMT 2019
![Page 29: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/29.jpg)
29HITCON CMT 2019
Android malware MoqHao (smartcat.apk)
MoqHao contains encrypted payload executed by loader module:
Loader module
Encrypted payload
Payload is Moqhao
Decryption using zlib + base64
![Page 30: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/30.jpg)
30HITCON CMT 2019
Android malware MoqHao
1. sendSms2. setWifi3. gcont4. lock5. bc6. setForward7. getForward8. hasPkg9. setRingerMode10. setRecEnable11. reqState
12. showHome13. getnpki14. http15. onRecordAction16. call17. get_apps18. show_fs_float_
window19. Ping20. getPhoneState
20th backdoor commands 4,000+ stolen info
• IP• Language• ID (email)• Password• Name• Address• Credit card info• Tow factor auth• Bank info• Etc…
MoqHao payload module is a backdoor.
![Page 31: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/31.jpg)
Improving crypto algorithm of loader module
31HITCON CMT 2019
¥classes.dex loader module
¥assets¥bin encrypted payload (-> .dex)
…others
2018 April
Base64
2018 May
Base64
+
Zlib
2018 Aug
Zlib
+
Base64
2019 Mar
DES
Key “xieurjke”
+
ZIP
2018 Feb
Skip 4bytes
+
Zlib
+
Base64
2018 Apr
Skip 4bytes
+
Zlib
+
Base64
#!/usr/bin/env python
import sys
import zlib
import base64
data = open(sys.argv[1], "rb").read()
dec_z = zlib.decompress(data[4:])
dec_b = base64.b64decode(dec_z)
with open(sys.argv[1]+".dec","wb") as fp:
fp.write(dec_b)
![Page 32: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/32.jpg)
Wrong design (vulnerability?) in old versions
32HITCON CMT 2019
If someone send a Email to there…?
Wrong design
Read email subject and decrypt real C2 destination
Real C2 Sinkhole? Other actor?
![Page 33: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/33.jpg)
Fixed wrong design in 2019
33HITCON CMT 2019
Fixed
Real C2 of Roaming Mantis
Feb 2019
xor + sub
Apr 2019
Base64.urlsafe + DES (CBC)
Mar 2019
Base64 + DES(EBC)#!/usr/bin/env python
from Crypto.Cipher import DESimport sysimport base64
enc = base64.urlsafe_b64decode(sys.argv[1])key = b"Ab5d1Q32"
des = DES.new(key,2,key)dec = des.decrypt(enc)print(dec)
Crypto Algorithm
![Page 34: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/34.jpg)
$ whois
Attribution
![Page 35: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/35.jpg)
The goal of the attacker
35
Of course…Get the money!
![Page 36: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/36.jpg)
Create accounts with compromised
devices’sTelephone
Number
Creating account from stolen information
36
EC sitespayment service
Carrier Billing
Steal SMS messages and send these to
the C2
SMS message send to Compromised device
with authentication code
Get authentication code from a stolen SMS
C2 Server
Send device information
Include device’s telephone
number after infected MoqHao
Get the compromised device’s telephone number
![Page 37: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/37.jpg)
Stealing authentication code
37
EC Sites/Payment Service SMS Carrier Billing
![Page 38: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/38.jpg)
Abusing stolen information
38Source: https://www.setn.com/News.aspx?NewsID=577291
![Page 39: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/39.jpg)
Money earning and money laundering technique
39
Carrier Billing
EC sitespayment service
Shoppingwith
Stolen credit card
Stolen credit card
By money launderer (Money mule phase)
Nikkei 2019/6/6
Buy iTunes card with payment service
Yahoo!知恵袋 2018/8/3
![Page 40: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/40.jpg)
How to recruit a money Launderer
40
“If you have an iPhone, there is a job.Get rewards just by purchasing a game item!No cost at all.”
![Page 41: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/41.jpg)
$ shutdown –h now
Conclusions
![Page 42: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/42.jpg)
Conclusions
42HITCON CMT 2019
THE ROAMING MANTIS
Targets Taiwan via SMShing
Is rapidly improving
Has strong financial motivation
![Page 43: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/43.jpg)
Example of IoCs
43HITCON CMT 2019
Malicious smartcat.apk Type A (MoqHao/XLoader) and its modules
c2dea0e63bd58062824fd960c6ff5d10 APK file720c9528f2bb436fa3ca2196af718332 APK file11ab174bf1dbac0418a14853bae5f1ae ¥classes.dex95aa090211fd06bbd2d2c310d0742371 ¥classes.dex2275e5b5186fdfddd64cbb653cc7c5e2 ¥assets¥?¥????? (Encrypted payload)14eb70a63a16612ec929b552fced6190 ¥assets¥?¥????? (Encrypted payload)710b672224653ad7e31bd081031928b4 Decrypted payload(.dex)7d41ef4c8e39d4dd8ca937d23521254a Decrypted payload(.dex)
Suspicious hardcoded accounts
id538254835 m.vk.comid538255725 m.vk.comid538256404 m.vk.com09261074305103529133 blogger.com17996104865618190962 blogger.com00569308955552776429 blogger.com
![Page 44: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/44.jpg)
44HITCON CMT 2019
References1. https://blog.trendmicro.com/trendlabs-
security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
2. https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
3. https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/
4. https://securelist.com/roaming-mantis-part-3/88071/
5. https://securelist.com/roaming-mantis-part-iv/90332/
6. https://securingtomorrow.mcafee.com/
other-blogs/mcafee-labs/moqhao-
related-android-spyware-targeting-japan-and-korea-found-on-google-play/
![Page 45: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign · NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee. 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao](https://reader034.fdocuments.net/reader034/viewer/2022051908/5ffc934ae4f8f63c2f21ded5/html5/thumbnails/45.jpg)
Suguru IshimaruGReAT APAC
Kaspersky Lab
Let’s Talk?Manabu NisekiNTT-CERT
NTT SC Labs
Hiroaki OgawaProfessional Service
McAfee