According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials.
Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.
This is caused by the page utilizing the Coinhive mining script shown below.
The day after the GReAT discovered this new page, the attackers reverted back to redirecting to the Apple phishing page, so this appears to be a test that is not ready for full release.
After Japanese researchers started releasing reports regarding Roaming Mantis, the group is making an effort to avoid hacking Japanese devices.
This group appears to also be taking a page out of the Adware handbook by promoting scam sites for adult videos, games, music, and downloads.
These scam sites are being promoted through Prezi.com, a presentation sharing site, where the group would create page that contain links to URLS at https://tinyurl.com. When a visitor goes to these urls, though, they will be redirected to various scam sites as shown below.
To protect yourself from attacks like this, make sure that your routers are upgraded to the latest firmware so that any vulnerabilities are patched. Kaspersky also suggests that Android users turn off the ability to install app from third-party sites.
"We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe," stated Kaspersky's research. "They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action."