Roaming Mantis

Roaming Mantis is a quickly evolving piece of mobile malware and consistently upgraded with additional functionalities. In the new infection method, users receive a phishing SMS message from a spoofed legitimate delivery company or an Apple phishing page. The message contains a malicious URL, which leads to a fraudulent website that downloads and installs a malicious payload.

Roaming Mantis is also distributed via the abuse of a popular computer application and online service used to create dynamic presentations, called Prezi. The attackers host presentations on Prezi, which contain links claiming to offer free content, but are actually malicious redirects. Once installed, the malware collects personal data such as phone numbers, IP, email/user-id, passwords, name, date of birth, address, credit card information including cvv, and banking information. Recent versions of the malware have also launched evasive cryptomining processes after establishing connection with the C&C server.

Umbrella blocks the domains that are tied to malicious files as well as IP addresses associated with command and control callbacks. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block malicious files before they're downloaded. AMP detects Roaming Mantis as Trojan-Dropper.AndroidOS.Agent and Umbrella proactively blocks the threat.

59.105.6[.]230, sagawa-aod[.]com, sagawa-aswe[.]com, sagawa-bngg[.]com, sagawa-bnwe[.]com, sagawa-cvbr[.]com, sagawa-cvdf[.]com, sagawa-dfef[.]com, sagawa-dfge[.]com, sagawa-efeh[.]com, sagawa-exgg[.]com, sagawa-expge[.]com, sagawa-expope[.]com, sagawa-exprb[.]com, sagawa-expsd[.]com, sagawa-expshg[.]com, sagawa-expuu[.]com, sagawa-expwhs[.]com, sagawa-expx[.]com, sagawa-expz[.]com, sagawa-extt[.]com, sagawa-exwe[.]com, sagawa-exxc[.]com, sagawa-exzz[.]com, sagawa-fghe[.]com, sagawa-fgrh[.]com, sagawa-fsag[.]com, sagawa-fsdh[.]com, sagawa-fsqq[.]com, sagawa-fssdf[.]com, sagawa-fswe[.]com, sagawa-gdhe[.]com, sagawa-gert[.]com, sagawa-gfde[.]com, sagawa-gfer[.]com, sagawa-grde[.]com, sagawa-grr[.]com, sagawa-hfje[.]com, sagawa-jhkl[.]com, sagawa-jllj[.]com, sagawa-mme[.]com, sagawa-mmi[.]com, sagawa-mmo[.]com, sagawa-mmp[.]com, sagawa-mmq[.]com, sagawa-mmr[.]com, sagawa-mmt[.]com, sagawa-mmu[.]com, sagawa-mmw[.]com, sagawa-mmy[.]com, sagawa-otfd[.]com, sagawa-othh[.]com, sagawa-otpe[.]com, sagawa-otqc[.]com, sagawa-otqw[.]com, sagawa-otqwt[.]com, sagawa-ottt[.]com, sagawa-otvb[.]com, sagawa-otvbd[.]com, sagawa-otww[.]com, sagawa-ouiu[.]com, sagawa-pasi[.]com, sagawa-pasif[.]com, sagawa-pcs[.]com, sagawa-pfe[.]com, sagawa-plop[.]com, sagawa-polsw[.]com, sagawa-ppiu[.]com, sagawa-sdfh[.]com, sagawa-sdge[.]com, sagawa-twwy[.]com, sagawa-wqtw[.]com, sagawa-yryr[.]com, sagawa-ytqq[.]com, sagawa-ytqw[.]com, softbank-noticw[.]com, softbank-soe[.]com, softbank-soee[.]com, softbank-soew[.]com, softbank-sow[.]com