A financially motivated threat group called “Roaming Mantis” was seen targeting Android and iOS device users through malicious SMS communications. The messages sent Android phone users to download pages while iOS users were redirected to credential-stealing login pages.

WhoisXML API researchers gathered more than 90 publicly available indicators of compromise (IoCs) and analyzed and expanded them using WHOIS, IP, and DNS intelligence. Our findings include:

• 7,000+ connected domains sharing the exact historic WHOIS details as one of the domain IoCs
• 1,100+ connected domains resolving to the IP addresses tagged as IoCs
• Dozens of artifacts tagged “malicious” by different malware engines
• Six countries and territories and nine different Internet service providers (ISPs) connected to the IP addresses
• Domain IoCs had the same WHOIS details, with GoDaddy as registrar and Domains By Proxy, LLC as privacy protection service provider

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Probing the IoCs Using DNS Intelligence

SEKOIA-IO published Roaming Mantis IoCs on GitHub, comprising 90 IP addresses used as payload servers and seven subdomains (belonging to three domains) contained in the SMS. A majority of the IP addresses were geolocated in China and South Korea, according to Bulk IP Geolocation lookup results.

The rest of the IoCs were distributed across four other locations—the Netherlands, France, the U.S., and Germany. See the chart below for the geolocation distribution of the IP addresses.

On the other hand, the top ISPs were LG DACOM Corporation and VKS-Internet Ltd. The other ISPs are reflected in the chart below.

We also examined the WHOIS records of the three domain IoCs using WHOIS API and found that they had the same details. Their registrar was GoDaddy and the rest of their WHOIS details were privacy-protected by Domains By Proxy, LLC.

All the domains were recently registered (June 2022) but one (xpddg[.]com) had a deeper WHOIS history that can be traced as far back as 2016. Threat actors seemingly got their hands on it in June but it was created way before that. The domain IoC also appears to have been created using a domain generation algorithm (DGA).

Expanding the IoC

We began our threat expansion with the malicious IP addresses listed as IoCs. Using Reverse IP/DNS API, we retrieved 1,170 domains that have resolved to the IP addresses at some point. These can be considered artifacts. About 88.55% were Duck DNS-hosted subdomains, while the rest were mostly DGA-created domains.

Another way to uncover more artifacts is by looking for properties sharing the IoCs’ WHOIS details. Since the IoCs’ current WHOIS records were redacted, we used the historic WHOIS information of xpddg[.]com, which included a registrant name and an email address. We found 7,086 artifacts currently and historically tied to these registrant details.

How Were the Artifacts Used?

While some domain connections may be coincidental, nearly 1% of the artifacts were flagged as malicious as of 1 August 2022. Several connected domains appear to be five-character DGA-created domains, just like the IoCs.

About 24% of the artifacts actively resolved to 890 unique IP addresses. Alarmingly, 23 IP addresses were on the Roaming Mantis IoC list.

We also performed a screenshot analysis of the resolving properties with the help of Website Screenshot API. Several domains were parked, but some content types stood out, such as news, gambling, and adult content.

Aside from these, some domains also hosted or redirected to login and download pages. To recall, these were the lures used by Roaming Mantis in their recent smishing campaign. We provided a few examples of these domains below.

The recent Roaming Mantis operation may have already duped thousands of users. SEKOIA-IO says that more than 90,000 unique IP addresses have already communicated with the command-and-control (C&C) servers.

Detecting IoC associations can help thwart malicious intentions behind the properties and ultimately aid in protecting end-users from phishing, credential theft, and other cybercrime. That is the goal of this threat report—from 97 IoCs, we uncovered thousands of connected domains, several of which were either suspicious or outright malicious.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.