2023-01-19 Roaming Mantis implements new DNS changer in its malicious mobile app in 2022

📃Title: Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
📅Date: 2023-01-19
🔗References:

• https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant
• topic: mobile-attack

🔖MISP Galaxies:

• producer Kaspersky
• threat-actor Roaming-Mantis
• target-information=“Austria”
• target-information=“France”
• target-information=“Japan”
• target-information=“Malaysia”
• malpedia=“Wroba”
• mitre-attack-pattern=[]

MISP event uuid: 0b8b636e-eefc-4ab6-8ffb-a272030fda47

Indicator of Compromise (IoCs)

type,value,comment
hostname, 1hy5.cwdqh.com, 'Domains of landing pages'
hostname, 3.wubmh.com, 'Domains of landing pages'
hostname, 3y.tmztp.com, 'Domains of landing pages'
hostname, 53th.xgunq.com, 'Domains of landing pages'
hostname, 5c2d.zgngu.com, 'Domains of landing pages'
hostname, 5.hmrgt.com, 'Domains of landing pages'
hostname, 8.ondqp.com, 'Domains of landing pages'
hostname, 9v.tbeew.com, 'Domains of landing pages'
hostname, d.vbmtu.com, 'Domains of landing pages'
hostname, g.dguit.com, 'Domains of landing pages'
hostname, j.vbrui.com, 'Domains of landing pages'
hostname, k.uvqyo.com, 'Domains of landing pages'
hostname, kwdd.cehsg.com, 'Domains of landing pages'
hostname, mh.mgtnv.com, 'Domains of landing pages'
hostname, o.wgvpd.com, 'Domains of landing pages'
hostname, r48.bgxbm.com, 'Domains of landing pages'
hostname, t9o.qcupn.com, 'Domains of landing pages'
hostname, vj.nrgsd.com, 'Domains of landing pages'
hostname, w3.puvmw.com, 'Domains of landing pages'
hostname, xtc9.rvnbg.com, 'Domains of landing pages'
hostname, y.vpyhc.com, 'Domains of landing pages'
ip-dst, 103.80.134.40, 'IPs of landing pages'
ip-dst, 103.80.134.41, 'IPs of landing pages'
ip-dst, 103.80.134.42, 'IPs of landing pages'
ip-dst, 103.80.134.48, 'IPs of landing pages'
ip-dst, 103.80.134.49, 'IPs of landing pages'
ip-dst, 103.80.134.50, 'IPs of landing pages'
ip-dst, 103.80.134.51, 'IPs of landing pages'
ip-dst, 103.80.134.52, 'IPs of landing pages'
ip-dst, 103.80.134.53, 'IPs of landing pages'
ip-dst, 103.80.134.54, 'IPs of landing pages'
ip-dst, 134.122.137.14, 'IPs of landing pages'
ip-dst, 134.122.137.15, 'IPs of landing pages'
ip-dst, 134.122.137.16, 'IPs of landing pages'
ip-dst, 199.167.138.36, 'IPs of landing pages'
ip-dst, 199.167.138.38, 'IPs of landing pages'
ip-dst, 199.167.138.39, 'IPs of landing pages'
ip-dst, 199.167.138.40, 'IPs of landing pages'
ip-dst, 199.167.138.41, 'IPs of landing pages'
ip-dst, 199.167.138.43, 'IPs of landing pages'
ip-dst, 199.167.138.44, 'IPs of landing pages'
ip-dst, 199.167.138.45, 'IPs of landing pages'
ip-dst, 199.167.138.48, 'IPs of landing pages'
ip-dst, 199.167.138.49, 'IPs of landing pages'
ip-dst, 199.167.138.51, 'IPs of landing pages'
ip-dst, 199.167.138.52, 'IPs of landing pages'
ip-dst, 27.124.36.32, 'IPs of landing pages'
ip-dst, 27.124.36.34, 'IPs of landing pages'
ip-dst, 27.124.36.52, 'IPs of landing pages'
ip-dst, 27.124.39.241, 'IPs of landing pages'
ip-dst, 27.124.39.242, 'IPs of landing pages'
ip-dst, 27.124.39.243, 'IPs of landing pages'
ip-dst, 91.204.227.131, 'IPs of landing pages'
ip-dst, 91.204.227.132, 'IPs of landing pages'
ip-dst, 91.204.227.144, 'IPs of landing pages'
ip-dst, 91.204.227.145, 'IPs of landing pages'
ip-dst, 91.204.227.146, 'IPs of landing pages'
ip-dst, 193.239.154.15, 'Rogue DNS'
ip-dst, 193.239.154.16, 'Rogue DNS'
ip-dst, 193.239.154.17, 'Rogue DNS'
ip-dst, 193.239.154.18, 'Rogue DNS'
ip-dst, 193.239.154.22, 'Rogue DNS'
url, 107.148.162.237:26333/sever.ini, 'Providing live rogue DNS server'
url, http://m.vk.com/id668999378?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id669000526?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id669000956?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id674309800?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id674310752?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id730148259?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id730149630?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id761343811?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id761345428?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, http://m.vk.com/id761346006?act=info, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, https://www.youtube.com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
url, https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic, 'Suspicious accounts/pages of some legitimate services for obtaining C2s'
ip-dst, 91.204.227.32, 'C&C'
ip-dst, 91.204.227.33, 'C&C'
ip-dst, 92.204.255.173, 'C&C'
ip-dst, 91.204.227.39, 'C&C'
ip-dst, 118.160.36.14, 'C&C'
ip-dst, 198.144.149.131, 'C&C'

Full IOCs available in Rectifyq's MISP```