Domain Name System changer functionality used in a new cyber scam

Kaspersky has reported the presence of a malicious cyber campaign that it once found in 2018. It has reported that the Roaming Mantis campaign has raised its head again. Not only has it raised its head, it is now using the Domain Name System (DNS) changer functionality to target the victims.

So, let’s dive in deeper into what the heck is this Roaming Mantis campaign?

Roaming Mantis

Roaming Mantis is a cyber attack campaign that instals malicious android APK in a victim’s device. This is used to control the device and steal sensitive device information. It has widened to include phishing campaigns for iOS and crypto mining for PCs.

The virus is named so because it is introduced through public Wifi networks such as Cafes, Airports and Hotels. Since, the victims of this campaign are people roaming through different public networks, the virus is named so.

Interestingly, the virus only affects the users connected through a special router available in South Korea , which is also manufactured in that country as well. The virus uses the Domain Name System changer functionality to load its malicious APK into a victim’s device.

Domain Name System changer functionality

This functionality alters the affected device’s DNS routing settings. It transfers the device to a compromised server instead of a legitimate DNS Server.

This compromised server then requests the device to install its malicious APK. Installing which the device gets in the control of the malicious actors which they use to derive sensitive information.

This time the threat actors have used an updated version of Wroba. It is the malware used to promulgate this scam and affects the router. Once a router is affected, all the devices connected to this network will face redirection to the compromised servers.

Geographical Spread

Although the DNS changer functionality is effective in South Korea, there is another troubling trend associated with this campaign. It is called Smishing

Smishing is a technique in which the malware is spread through Text Messages containing different URLs. All of these URLs redirect the victim to a site that requests them to install the malicious APKs.

The most affected countries by this virus are Japan, Austria, France, Germany, South Korea, Turkey, Malaysia and even India. However, the highest detection rate was observed in France followed by Japan and the US.

Spread across the devices

In the initial stages, the malware requests the user to download an update of popular software such as Chrome. The victim downloads the malicious file that is named Chrome.apk. After the victim instals the APK, it asks for a bunch of different permissions which you would grant considering this is an update of an application like Chrome.

The malicious APK then asks various Google accounts related to the victim. Once the information is provided a message is prompted to the user with a problem related to the accounts that needs Login. Victim then enters the sensitive Account details. This is further perpetuated through entering OTPs sent to the registered mobile phones. 

Image for

In iOS, the campaign takes a different turn where instead of installing an APK, the user is directed to the supposedly Apple Store site. The URL is also chosen in a way that looks legitimate. 

After the gain of Login information, the fraudsters further demand Credit card credentials as well.

For PCs also, the cybercriminals have kept their options open. The campaign instals a CoinHive mining script into the victim’s device. This uses a lot of power of the device and makes the device run very slow.


There are two ways you can protect yourself from such malicious campaigns. The first is prevention, the second one is focused around the cure part.

The prevention part comes as watching closely to the domain name before accessing platforms. Fraudsters often claim that they belong to reputed companies but all the malicious work happens through redirection to compromised domain names.

Such names could be detected if one looks for them carefully before entering any sensitive credentials. Many times such campaigns can be stopped right in their beginnings with a basic information around domain names.

The second option that is perhaps more effective to tackle the problem is by installing an appropriate Antivirus system. This needs to be updated regularly and be installed among all devices and not just your PC. 

Another step that could be of help is refraining downloads from Third party vendors as well as Unknown sources.


  1. Mark Beck Avatar

    Researchers explained that the Roaming Mantis attackers are delivering a revamped version of their patent mobile malware Wroba for infiltrating WiFi routers and hijacking Domain Name System/DNS.
    This malicious new attack is designed to specifically target South Korean WiFi routers manufactured by one of the leading network equipment vendors in South Korea.

  2. Larry Colt Avatar
    Larry Colt

    Roaming Mantis is back and targeting victims with DNS changer functionality! This malicious cyber campaign infects devices through public WiFi networks and has expanded to include phishing for iOS and crypto mining for PCs. It’s been observed in countries like France, Japan, and India, and the spread can be through downloading an APK or being directed to a fake Apple Store site. Protect yourself by being cautious of domain names and installing a regularly updated antivirus system. Refrain from downloading from third-party or unknown sources. Stay safe! #RoamingMantis #CyberAttack #Antivirus

Join the Discussion

Discover more from Domain Magazine

Subscribe now to keep reading and get access to the full archive.

Continue reading

Verified by ExactMetrics