Telecommuting, laptop handNews

Cybercriminals use DNS changers to spread malware via public WiFi

Researchers of cybersecurity solutions company Kaspersky reported that cybercriminals are using a new domain name system (DNS) changer to spread malware through compromised public Wi-Fi routers.

Used in the Roaming Mantis campaign, the DNS changer can infect Android smartphones with the Wroba.o malware. Kaspersky said the new technique targets users in South Korea but warns that it can be soon implemented in other countries as well.

“The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products,” said Suguru Ishimaru, senior security researcher at Kaspersky.

Tips on mitigating cyber risks to corporate social media in 2023 
Kaspersky says cybercriminals spread malware through ‘The Last of Us’

On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

Roaming Mantis (a.k.a. Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and crypto-mining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. 

Smishing

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. 

According to Kaspersky Security Network (KSN) statistics in September- December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%).

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:

  • Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
  • Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
  • Never install router firmware from third-party sources. Avoid using third-party repositories for your Android devices.
  • Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
  • Consider installing a mobile security solution, such as special security solution, to protect your devices from these and other threats.