![Page 1: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/1.jpg)
Roaming Mantis:A Melting Pot of Android Bots
Suguru IshimaruGReAT APACKaspersky Lab
Manabu NisekiNTT-CERT
NTT SC Labs
Hiroaki OgawaProfessional Service
McAfee
![Page 2: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/2.jpg)
2
Contents
1. Introduction
2. What’s Roaming Mantis
• MoqHao
• FakeSpy
• FakeCop
• FunkyBot
3. Conclusions
Botconf 2019
![Page 3: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/3.jpg)
$ whoamiIntroduction of ourselves
![Page 4: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/4.jpg)
Who Are We?
Manabu Niseki
(NTT-CERT)
Suguru Ishimaru
(Kaspersky)
Hiroaki Ogawa
(McAfee)
![Page 5: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/5.jpg)
You can download our slides in HITCON CMT 2019
![Page 6: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/6.jpg)
$ man roamingmantisWhat is Roaming Mantis
![Page 7: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/7.jpg)
Phishing site
Web mining
Malicious APKMultilingual
8Botconf 2019
What is Roaming Mantis?
• Cyber criminal campaign
• DNS changer + SMiShing
• Targeted multi platform and
multiple language
![Page 8: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/8.jpg)
9Botconf 2019
What is Roaming Mantis?
A melting pot of Android bots:
• MoqHao
• FakeSpy
• FunkyBot
• FakeCop
![Page 9: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/9.jpg)
$ file moqhao.apk
Named by McAfeeAppeared since 2017
![Page 10: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/10.jpg)
11Botconf 2019
Distribution channels• DNS changer (rogue DNS)
• SMiShing
Targeting brands• Facebook
• Google Chrome
• Sagawa Express (JP)
• Yamato Transport (TW)
• CJ Logistics (KR)
• DHL Express (SG)
MoqHao: Distributions
DNS changer SMiShing
![Page 11: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/11.jpg)
MoqHao: Distribution channels: Rogue DNS
12Botconf 2019
• Attacking routers to use rogue DNS servers.• iOS: will be navigated to an Apple phishing website.
• Android: will be infected with MoqHao.
![Page 12: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/12.jpg)
MoqHao: Compromised routers
13Botconf 2019
![Page 13: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/13.jpg)
MoqHao: Distribution channels: SMiShing
14
SMiShing impersonating logistics firms:
• Sagawa Express (Japan)
• Yamato Transport (Taiwan)
• DHL Express (Singapore)
• CL Logistics (Korea)
Botconf 2019
![Page 14: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/14.jpg)
16Botconf 2019
MoqHao: Packer mechanism
MoqHao contains encrypted payload executed by loader module:
Loader module
Encrypted payload
Payload is MoqHao(.dex)
4bytes skip + zlib dec + base64 dec
![Page 15: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/15.jpg)
17Botconf 2019
MoqHao: Communications to C2
Base64_urlsafe + DES + a hardcoded key(iv is same) “Ab5d1Q32”
1.171.162.250:28844
SNS accounts and strings
![Page 16: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/16.jpg)
18Botconf 2019
MoqHao: Backdoor malicious features
1. sendSms2. setWifi3. gcont4. lock5. bc6. setForward7. getForward8. hasPkg9. setRingerMode10. setRecEnable
11. reqState12. showHome13. getnpki14. http15. onRecordAction16. call17. get_apps18. show_fs_float_window19. Ping20. getPhoneState
20th backdoor commands 4,000+ stolen info
• IP• Language• ID (email)• Password• Name• Address• Credit card info• Tow factor auth• Bank info• Secret question• Etc…
MoqHao payload module is a backdoor.
![Page 17: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/17.jpg)
$ file fakespy.apk
Named by TrendMicroAppeared since 2017
![Page 18: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/18.jpg)
21Botconf 2019
Distribution channels• SMiShing
Targeting brands• Sagawa Express (JP)
• Japan Post (JP)
• Yamato Transport (JP)
• Nippon Express (JP)
• NTT Docomo (JP)
• Logen (KR)
• Die Post (CH)
• LuLu (UAE)
• Pos Malaysia(MY)
FakeSpy: Distributions
New targets?
![Page 19: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/19.jpg)
Botconf 2019 22
FakeSpy: Packer mechanism
Loader module2 (JNI)
Encrypted payload
Payload is FakeSpy(.jar)
AES + a hardcoded key base64dec(“H8chGVmHxKRdjVSO14Mvgg==”)
Loader module1
![Page 20: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/20.jpg)
23Botconf 2019
FakeSpy: Communications to C2 and malicious features
http://jppost-bpa[.]top/
Ascii to HEX + DES +a hardcoded key “TEST”
Stealing infoSMS spamming
https://twitter.com/sekadetahttps://twitter.com/sekadeta
![Page 21: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/21.jpg)
25Botconf 2019
FakeSpy: Check device and targeting countries
Anti-sandbox
Country calling code is
+82 = South Korea
+86 = China
![Page 22: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/22.jpg)
26Botconf 2019
FakeSpy: Simplified Chinese
![Page 23: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/23.jpg)
$ file fakecop.apk
Named by KasperskyAppeared since 2019
![Page 24: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/24.jpg)
29Botconf 2019
Distribution channels• Rogue DNS
Targeting brands• Korean National Police Agency
(KR)
• S-GUARD (KR)
• NTT Docomo (JP)
FakeCop: Distributions
![Page 25: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/25.jpg)
FakeCop: Distributions
30
• In April 2019, Roaming Mantis landing pages started navigating (Japanese?) victims to Google Play store.
• “com.jptest.tools2019” is a FakeCop malware.• According to McAfee, this malware was immediately removed from the Google
Play store.Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/
![Page 26: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/26.jpg)
Botconf 2019 31
FakeCop: Packer mechanism
Jiagu packer
Payload is FakeCop (.dex)
![Page 27: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/27.jpg)
32Botconf 2019
FakeCop: Communications to C2 and stealing info
Steals device info and SMS
A hardcoded C2 in config
![Page 28: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/28.jpg)
33Botconf 2019
FakeCop: Device and locale check
Check device info as Anti-debug and anti-analysis
Country calling code is +81 = Japan
![Page 29: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/29.jpg)
34Botconf 2019
FakeCop: Simplified Chinese
![Page 30: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/30.jpg)
$ file funkybot.apk
Named by FortinetAppeared since 2019
![Page 31: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/31.jpg)
37Botconf 2019
Distribution channels• SMiShing
Targeting brands• Sagawa Express (JP)
FunkyBot: Distributions
![Page 32: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/32.jpg)
38Botconf 2019
FunkyBot: Packer mechanism
payloadType = 0 payloadType = 1
¥assets¥${conf}
if enc_byte != 0x00 || enc_byte != 0x51:
enc_byt XOR 0x51
classes.dex stored encrypted data ¥assets¥${encrypted_data}
dex num size
Payload of FunkyBot
Legitimate dex?
![Page 33: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/33.jpg)
39Botconf 2019
FunkyBot: Communications to C2
45.32.29[.]33:11257
Base64+ DES + a hardcoded key“d2a57dc1”
![Page 34: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/34.jpg)
Botconf 2019 40
FunkyBot: Stealer and SMS spamming
Steals contacts and emails SMS spamming
![Page 35: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/35.jpg)
41Botconf 2019
FunkyBot: Simplified Chinese
![Page 36: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/36.jpg)
$ yara roaming_mantisComparing relationship of each bot
![Page 37: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/37.jpg)
44Botconf 2019
Timeline (2017 – 2018)
Aug
2017Feb
2018
Sep
2018
Dec
2017
Aug
2018
Oct
2018Google Chrome
(#MoqHao)
Sagawa Express (#FakeSpy)
Facebook (#MoqHao)
DNS changer attacks are
started.
DNS changer attacks are
stopped.
![Page 38: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/38.jpg)
45Botconf 2019
Timeline (2019)
April
2019June
2019
Aug
2019
May
2019
July
2019
Sep
2019
Japan Post (#FakeSpy)
NTT Docomo (#FakeCop)
NTT Docomo (#MoqHao)
NTT Docomo (#FakeSpy)
Nippon Express (#FakeSpy)
Yamato Transport (#FakeSpy)
Lulu Hypermarket (#FakeSpy)
Korean National Police (#FakeCop)
DNS changer attacks are started again.
Yamato Transport (#MoqHao)
Sagawa Express (#FunkyBot)
DHL Express (#MoqHao)
POS Malaysia(#FakeSpy)
CJ Logistics (#MoqHao)
Logen (#FakeSpy)
Die Post (#FakeSpy)
S-GUARD (#FakeCop)
![Page 39: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/39.jpg)
46Botconf 2019
Geography
![Page 40: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/40.jpg)
Relationships
MoqHao FakeSpyFake app
SNS as a first C2
FakeCopInfrastructure
FunkyBot
SMiShing
DNS changer
![Page 41: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/41.jpg)
48
$touch moneyMoney laundering technique
![Page 42: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/42.jpg)
Money laundering
49
• Abusing carrier billing payment to buy iTunes gift cards.
“Please accept to the agreement to complete the carrier billing payment”
![Page 43: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/43.jpg)
Recruiting a money launderer
50
“If you have an iPhone, there is a job.Get rewards by purchasing online game items!”
![Page 44: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/44.jpg)
$ shutdown –h nowConclusions
![Page 45: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/45.jpg)
Conclusions
52Botconf 2019
THE ROAMING MANTIS
Many bots
Rapidly improving
Strong financial motivation
Spreading beyond the East Asia
MaaS is behind?
![Page 46: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/46.jpg)
55HITCON CMT 2019
References1. https://blog.trendmicro.com/trendlabs-
security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
2. https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
3. https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/
4. https://securelist.com/roaming-mantis-part-3/88071/
5. https://securelist.com/roaming-mantis-part-iv/90332/
6. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/
7. https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html
![Page 47: Roaming Mantis: an Anatomy of a DNS Hijacking Campaign€¦ · Timeline (2019) April 2019 June 2019 Aug 2019 May 2019 July 2019 Sep 2019 Japan Post (#FakeSpy) NTT Docomo (#FakeCop)](https://reader034.vdocuments.net/reader034/viewer/2022051922/600fc3f2c8a5bf02b227d994/html5/thumbnails/47.jpg)
Suguru IshimaruGReAT APACKaspersky Lab
Let’s Talk?Manabu NisekiNTT-CERT
NTT SC Labs
Hiroaki OgawaProfessional Service
McAfee