While malware and phishing are two completely different sorts of cyberattacks, risk actors typically use each strategies in malicious campaigns. A risk actor often known as Roaming Mantis seems to be doing precisely that in a brand new marketing campaign documented by researchers on the cybersecurity agency SEKOIA. Roaming Mantis has beforehand focused customers in Japan, South Korea, Taiwan, Germany, France, the UK, and the US, distributing the MoqHao Android malware, often known as XLoader. The researchers estimate that this new marketing campaign has compromised round 70,000 Android units belonging to French customers.

Similar to a adware marketing campaign lately focusing on Italian customers, the marketing campaign’s kill chain begins with an SMS message despatched to telephone numbers starting with France’s +33 nation code. The textual content message tells recipients {that a} bundle has been despatched that requires evaluation. The message features a malicious hyperlink that directs customers to completely different locations, relying on sure situations. If the consumer’s IP handle corresponds to a location exterior of France, the consumer is shipped a 404 error, ending the assault prematurely.

Apple ID phishing web page (source: SEKOIA)

However, if the consumer has a French IP handle, the malicious server then detects the cell machine working system. In the case of an Apple machine working iOS, the server sends the sufferer to a phishing web page that mimics the French-language Apple ID login web page. Any Apple ID consumer credentials entered into this web page are obtained by the Roaming Mantis risk actor for later use.

If the sufferer’s telephone is working Android, the server redirects the sufferer to a web page that shows an alert and makes an attempt to download an APK file. If the sufferer runs the APK file and disables the Android safeguards that shield towards putting in apps from unknown sources, it installs a malicious app that mimics the Chrome browser and asks victims to grant it intensive permissions. The XLoader malware contained inside the app connects to the legit picture internet hosting service Imgur to retrieve a command-and-control (C2) configuration from a consumer profile. The malware then steals data from the contaminated machine and uploads it to the C2 server.

Between the phishing assault focusing on iOS customers and the malware assault focusing on Android customers, Roaming Mantis is ready to achieve entry to a wide variety of private information, in addition to remotely work together with victims’ units. This delicate information and distant entry may later be used to help in extortion of the victims or related companies and establishments.