top of page

MoqHao Part 3: Recent Global Targeting Trends

Updated: Jul 20, 2023

Introduction


This blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a malware family commonly associated with Roaming Mantis. MoqHao is generally used to target Android users, often via an initial attack vector of phishing SMS messages (smishing).



The threat group behind Roaming Mantis are characterized as Chinese-speaking and financially motivated, first public acknowledgement goes back to around 2018. The group has historically targeted countries in the Far East – Japan, South Korea and Taiwan, but they are expanding their campaign.


In our most recent post (MoqHao Part 2: Continued European Expansion), we demonstrated how Roaming Mantis had widened their sights to Western countries, including France, Germany, the United Kingdom, and the United States.

 
Further Reading

 

In this post we will explore whether Roaming Mantis have continued to expand their operations over the past year, focusing on their activities in recent months. In doing so we will seek to highlight some techniques which we have utilized to pivot to connected infrastructure.


Key Findings


  • Identification of 14 MoqHao C2 servers, based on malware analysis and pivots within contextual data sets.

  • Evidence of Roaming Mantis campaigns targeting every continent, with Africa, Asia, and Europe the most impacted.

  • Close to 1.5 million victim communications to the MoqHao C2 servers observed since the end of 2022.

  • The scope of Roaming Mantis continues to grow; all mobile users should be conscious of smishing threats, particularly from operators who have evolved their campaigns over several years.


MoqHao Command & Control


As in previous posts, our analysis begins with the identification of infrastructure utilized for the purpose of post-infection communications, once a malicious APK (MoqHao) has been installed on a victim device.


The rationale for this approach is two-fold:


  1. The delivery and installation methodology for MoqHao includes the use of ‘disposable’ staging infrastructure which generally utilizes Dynamic DNS services, in addition to legitimate platforms, such as Baidu, Imgur, Pinterest, and VKontakte. Analysis of network telemetry data associated with these phases of an infection is complicated by the presence of security research, scanning, and (large volume) benign user activity. Furthermore, until beacons to a Moqhao C2 server are observed, it is not wholly accurate to identify any communications as ‘victim’ related.

  2. Whilst MoqHao’s delivery infrastructure has a short shelf life, its C2 infrastructure is used for extended periods of time and in some cases even reused after periods of inactivity. By analyzing stable infrastructure, we can draw higher level conclusions on targeting, i.e., where large groupings of victim connections originate from. In addition, as this infrastructure is more static, by disclosing it we can have the greatest impact on Roaming Mantis operations.


Figure 1: Simplified Delivery Chain for MoqHao


Our initial method of identifying MoqHao C2 infrastructure is based on analysis of malware samples. In this case we have started with three malware samples identified within our internal malware holdings, which are also available in VirusTotal.


MoqHao is detected by several antivirus vendors as ‘Wroba’, querying for this string within malware repositories will generally lead to connected samples.


37134b50f0c747fb238db633e7a782d9832ae84b


This file was first uploaded on 24 October 2022 by a user in Canada, it is configured to receive C2 information (91.204.227.31:28877) from a user profile on VKontakte.


Examining network telemetry for 91.204.227.31 (HDTIDC - South Korea) we observe a campaign targeting users in Australia, with the most recent victim connections occurring around 29 January 2023.


Open Ports information for 91.204.227.31 identifies that TCP/5985 was open during the period when victim connections occurred. The banner data obtained from scanning that port contains reference to a Computer / Domain Name - WIN-VLVN3FLKKGL.


Figure 2: Open Ports Information for 91.204.227.31


Pivoting on the WIN-VLVN3FLKKGL value we identified four additional IP addresses, all within 91.204.227.0/26.


We found victim communications to three of these IP addresses, two of which were identified in previous reporting (by Kaspersky) as MoqHao C2 servers:


  • 91.204.227.32 << Kaspersky C2

  • 91.204.227.33 << Kaspersky C2

  • 91.204.227.51


The first two C2s are used in campaigns primarily targeting users located in Asia, but also Australia (as was the case with 91.204.227.31). A significant proportion of victims were in Japan, Nepal, and Thailand.


91.204.227.51 was used as the C2 server for a campaign targeting users in France, with the last victim connections observed around 26 February 2023.


198b55d4e7c7c0ee4fc4cbe13859533e651b91f6


This file was first uploaded on 20 February 2023 by a user in Canada, it is configured to receive C2 information (198.144.149.142:28866) from a user profile on VKontakte.


Examining network telemetry for 198.144.149.142 (NETMINDERS - Canada) we observe a campaign targeting users globally - in Africa, Asia, Europe, North America, and Oceania, with victim connections still occuring at the time of writing.


Open Ports information for 198.144.149.142 identifies an RDP certificate hosted on TCP/3389 with a Common Name value of sid380.


Figure 3: Certificate Data for 198.144.149.142


Pivoting on the sid380 value we identified 12 additional IP addresses, all within 198.144.149.128/28.


We found victim communications to one of these IP addresses, which was identified in the Kaspersky reporting as a MoqHao C2 server:


  • 198.144.149.131 << Kaspersky C2


As in the case of 198.144.149.142, this C2 is used in campaigns targeting users globally, further including South America (Brazil and Suriname).


5ceb8950759a8d9d31389d1370d381d158c79fbe


This file was first uploaded on 25 February 2023 by a user in Japan, it is configured to receive C2 information (91.204.227.43:29872) from a user profile on VKontakte.


Examining network telemetry for 91.204.227.43 (HDTIDC - South Korea) we observe a campaign targeting users in India, with the most recent victim connections occurring around 03 March 2023.


Open Ports information for 91.204.227.43 identifies that TCP/5985 was open during the period when victim connections occurred. The banner data obtained from scanning that port contains reference to a Computer / Domain Name - M172-17-64-184.


Figure 4: Open Ports Information for 91.204.227.43


Pivoting on the M172-17-64-184 value we identified 13 additional IP addresses, all within 91.204.227.0/26.


We found victim communications to seven of these IP addresses, one of which was identified in the Kaspersky reporting as a MoqHao C2 server:


  • 91.204.227.37

Campaigns targeting users in Turkey and the United States.


  • 91.204.227.39 << Kaspersky C2

Campaigns primarily targeting users in India and Nepal, with additional targeting in the Middle East and North America.


  • 91.204.227.41

A campaign targeting users in South Africa.


  • 91.204.227.42

Campaigns primarily targeting users in Europe (Austria and Czech Republic), with additional targeting in Asia and the Middle East.


  • 91.204.227.47

Campaigns targeting users in Malaysia and Nepal.


  • 91.204.227.48

A campaign targeting users in the Czech Republic, with additional targeting in Belgium, the Dominican Republic, and Turkey.


  • 91.204.227.49

Campaigns targeting users in India, Portugal, South Africa, and the United Kingdom, with smaller clusters of victims globally (Africa, Asia, Europe, the Middle East, North America, and Oceania).


Conclusion


Whilst this analysis is caveated by the fact it is based on sampled data, and that some researcher / scanning activity likely slipped through our net, we were able to identify connections, indicative of victims, from 67 distinct countries.


Approximately 80% of connections were from the East Asian region (primarily Japan), which could be referred to as the ‘traditional’ operating base of Roaming Mantis. However, when you remove those connections from the data, you’re left with a picture of the operators’ efforts to expand globally.


Figure 5: Spread of Victim Communications


Users from Africa, other regions in Asia, and Europe in particular are increasingly appearing in victim communications to MoqHao infrastructure.


Smishing often doesn’t receive the same level of attention as phishing when it comes to the malware delivery stakes. But, with over 1 million observed victim connections since the end of 2022 related to Roaming Mantis alone, it is clearly a viable initial access vector.


If Roaming Mantis can develop their delivery methods globally, to match the depth and ‘real feel’ spoofing of their East Asian campaigns, we would anticipate that the threat to users will continue to grow over coming months and years.


Recommendations


  • We encourage continued education on mobile device security in general and smishing more specifically, to arm users with the knowledge required to identify and avoid threats.

  • Where feasible, connections to the static MoqHao C2 servers listed in the IOC section below should be pre-emptively blocked.

  • Users of Pure Signal Recon can track MoqHao campaigns based on the methods described in this blog post.


IOCs


MoqHao Samples


198b55d4e7c7c0ee4fc4cbe13859533e651b91f6

37134b50f0c747fb238db633e7a782d9832ae84b

5ceb8950759a8d9d31389d1370d381d158c79fbe



MoqHao C2 Servers (With Port Pairings 🍷)


ACTIVE (14 March 2023)

HDTIDC LIMITED - South Korea:

91.204.227.32:28877

91.204.227.33:28899

91.204.227.37:28836

91.204.227.37:28856

91.204.227.39:28844

91.204.227.41:29869

91.204.227.42:29871

91.204.227.47:28999

91.204.227.48:28843

91.204.227.49:29870


NETMINDERS - Canada:

198.144.149.131:28866

198.144.149.142:28866



INACTIVE (Date)

HDTIDC LIMITED - South Korea:

91.204.227.31:28877 (29 January 2023)

91.204.227.43:29872 (03 March 2023)

91.204.227.51:36599 (26 February 2023)


NETMINDERS - Canada:

198.144.149.131:28867 (05 January 2023)

198.144.149.131:28868 (22 February 2023)

198.144.149.131:28869 (03 January 2023)


1 Comment


Before using Recon, the team didn't have to do much to clean up their emails because they had good rules and custom block lists. basket random

Like
bottom of page