Following attacks on users of Android and iOS in Germany, Taiwan, South Korea, Japan, the US, and the UK, the Roaming Mantis operation turned its attention to France, possibly compromising tens of thousands of devices.

It is thought that Roaming Mantis is a financially driven threat actor that began concentrating on European consumers in February.

In a recent effort, the threat actor lured consumers into downloading malware on their Android devices using SMS communication. The potential victim is forwarded to a phishing page seeking Apple credentials if they are an iOS user. Eliminating XLoader

XLoader (MoqHao), a potent malware with characteristics including remote access, information stealing, and SMS spamming, is being dropped on Android smartphones by the Roaming Mantis group, according to a report published today by researchers at cybersecurity firm SEKOIA.

The ongoing Roaming Mantis effort, which is aimed at French users, begins with an SMS that asks potential victims to visit a URL.

A package has been sent to them, and the text message notifies them that they need to review it and arrange for delivery.

The user is taken to a phishing page that steals Apple credentials if they are using an iOS device and are situated in France. Android users are directed to a website that provides the mobile app installation file (an Android Package Kit - APK).

Customers outside of France Attack terminates when a 404 error is displayed on Roaming Mantis' servers. A sequence of roaming mantis attacks A sequence of roaming mantis attacks (SEKOIA)

Risky rights like SMS interception, making phone calls, reading and writing storage, managing system warnings, collecting accounts list, and more are requested by the APK as it runs and imitates a Chrome installation.

To avoid detection, hardcoded Imgur profile destinations that are encoded in base64 are used to retrieve the command and control (C2) configuration. Using decryption to produce the final IP address from the string Using decryption to produce the final IP address from the string (SEKOIA)

The victim pool may be considerable, as SEKOIA reported that over 90,000 different IP addresses have so far requested XLoader from the primary C2 server.

Unknown, but maybe greater, is the proportion of iOS users who have divulged their Apple iCloud credentials on the Roaming Mantis phishing page. The phishing website for Apple ID The phishing website for Apple ID (SEKOIA) Construction information

Roaming Mantis' infrastructure hasn't undergone significant modification since team Cymru's previous investigation of it in April, according to SEKOIA's analysts.

The same certificates that were found in use in April are still being used, and the servers still have open ports at TCP/443, TCP/5985, TCP/10081, and TCP/47001.

According to SEKOIA in the research, "Domains used inside SMS messages are either registered with Godaddy or use dynamic DNS services like duckdns.org."

The intrusion set uses more than a hundred subdomains, and each IP address is resolved by dozens of FQDNs.

It's interesting to note that the smishing (SMS phishing) operation uses different C2 servers than those utilized by XLoader, and the analysts were able to locate nine of those located on EHOSTIDC and VELIANET Autonomous Systems.

Visit this GitHub page for a comprehensive list of signs of compromise for the current Roaming Mantis operation.