After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis campaign recently moved to target iOS and Android users in France and likely compromised numerous devices. Here is a look at the Roaming Mantis malware and how such smishing campaigns affect individuals and organizations.

In March 2018, the Japanese media reported hackers targeting the DNS settings of routers located in Japan. The Roaming Mantis got introduced when the hijackers redirected the victims to malicious IP addresses, leading them to install applications infected with trojans.

These applications contained an Android banking trojan, and what started as a banking trojan evolved quickly into a more dangerous malware. Roaming Mantis appears to be a financially-motivated threat actor which targeted many European users in February.


Tactics & Techniques

The Roaming Mantis malware sends an SMS message to the victim and infects their device. The language inside the text message tricks the user into thinking that they have received a shipped package confirmation. Then, they are asked to open a URL that redirects them to a malicious page designed to steal the victim’s credentials.

For iOS users, the malware doesn’t download an application. Instead, the phishing website displays a malicious page asking the user to log in to the App Store. The hackers’ address seems like a genuine Apple website and reassures the victim everything is well.


Specifically Targeting Users in France

The cybersecurity firm SEKOIA published a report in which the researchers mentioned that the hackers of the Roaming Mantis group are pushing the XLoader (MoqHao) payload on Android devices. The loader (MoqHao) payload is a powerful malware with features like information stealing, remote access, and SMS spamming.

The Roaming Mantis campaign currently targets French users and begins with an SMS that the victims receive, urging them to click on a URL. If the victim is located in France, using an iOS device, they get redirected to a malicious page that steals their Apple credentials. The Android users get pointed to a website that pushes the installation file for a mobile app into the victim’s mobile (an Android Package Kit – APK).

The APK installs and looks like a Chrome installation through which the hackers ask for permissions like making phone calls, handling system alerts, getting accounts lists, reading and writing storage, SMS interception, and more.

The C2 (command and control) configuration gets retrieved from the hardcoded Imgur profile destinations that hackers encode in base64 to evade detection. For users outside France, the Roaming Mantis’ servers throw a 404 error, stopping the attack. 


Image sourced from


Infrastructure Details

SEKOIA’s analysts report that the infrastructure hasn’t changed much since team Cymru’s last April analysis of the Roaming Mantis. The servers have open ports at TCP/47001, TCP/10081, TCP/5985, and TCP/443, while the same certificates from April are currently in use.

The threat actors use Domains in the SMS text messages that are either Godaddy registered or dynamic DNS services like, adds the report. The intrusion set utilizes over a hundred subdomains, and many FQDNs resolve each IP address.

Interestingly, the Roaming Mantis SMS phishing  (smishing) operation relies on separate C2 servers than those used by the loader. The analysts identified nine of those hosted on VELIANET and EHOSTIDC Autonomous Systems.


What is in it for the Adversaries?

SEQUOIA analysts confirmed that about 90,000 unique IP addresses requested XLoader from the main C2 server, signaling that the victim count might be significant. The iOS user numbers who might have entered their Apple iCloud credentials on the malicious Roaming Mantis webpage are unknown and could be the same or higher.

Threat actors that carry out such smishing campaigns are similar to other cybercriminals and want to steal the victims’ PII (Personally Identifiable Information).

Suppose an adversary, for example, does a good job and impersonates a financial institution’s website. In that case, they can lure you into providing your login credentials and use them to pretend to be you. Hackers can either take several small amounts over a long period or large sums of money in a single attack. If they target several people like this, they can earn a sizable income.

Besides, the attacker need not log in to a financial institution and make a profit from your personal information. Most people reuse their passwords and usernames for several accounts.

For example, they can keep their email address as the username, and although they might hold a robust password that is difficult to guess, they can use the same one repeatedly. Therefore, a threat actor merely needs one of your passwords to access several websites and services you may be logged in to if you are not cyber-hygienic.


Defending Against Smishing

Smishing impacts both organizations and individuals. Below, we discuss tips to strengthen defenses from the business and individual perspective:


Defenses for Individuals

  • A useful thumb rule is to avoid clicking on any text message links.
  • Enable two-factor or multi-factor authentication methods for most crucial accounts, like email, banking, eCommerce platforms, and online bank applications.
  • Call your retailer, bank, or relevant government services directly to verify the authenticity of any SMS text messages about account lockouts, transactions, suspicious activity, and appointments.
  • Avoid saving sensitive information on your mobile, like your credit card number or account passwords, because malware can allow device takeover, giving cybercriminals free ground to find and use this information easily.


protection from phishing


Defenses for Businesses

  • Measure the amount of smishing awareness among employees by carrying out surveys and include smishing material in regular training materials. It will reduce the susceptibility to falling for these fraudulent text messages by compensating for any knowledge gaps.
  • Use the least privilege access principle to ensure that even if the attacker compromises an employee’s account, your attack surface gets minimized because you have restricted the access levels to only what’s necessary for the employee’s job functions and duties.
  • Use phishing training and simulation exercises to give employees valuable opportunities to improve their detection ability for various social engineering techniques that are common across multiple attack types.
  • Organizations with a BYOD policy allowing their employees to connect their mobile devices to the corporate network and apps can update their policy to include guidance and tips for the employees to ensure they don’t fall victim to smishing campaigns.


Final Words

A relatively new form of cyberattack, the Roman Mantis has taken the smishing campaigns to new levels. After targeting European users in February, the malware is now targeting French users.

Such smishing campaigns present new challenges for individuals and businesses. Thus, it is imperative to ensure that the workforce, even those not dealing with confidential information assets, are adequately trained and follow robust cyber hygiene to ensure adequate protection from phishing against such cyber threats.