top of page
S2 Research Team

MoqHao Part 2: Continued European Expansion

Updated: Jun 23

Monitoring Roaming Mantis Operations with Pure Signal™ Recon


This blog is a product of ongoing collaboration with @ninoseki, a Tokyo-based researcher who has tracked MoqHao for several years. His public GitHub contains numerous useful OSINT threat hunting tools.


Introduction

MoqHao (also referred to as Wroba and XLoader) is a malware family commonly associated with the Roaming Mantis threat actor group. MoqHao is generally used to target Android users, often via an initial attack vector of phishing SMS messages (smishing).


Roaming Mantis are characterized as Chinese-speaking and financially motivated. The group has historically targeted countries in the Far East – in particular Japan, South Korea and Taiwan.


We have previously blogged on a MoqHao campaign targeting Japan during the Golden Week holiday period in April/May 2021.


In the recent past, several vendors (e.g., Kaspersky) have noted an expansion in Roaming Mantis’ operations to include several European countries.



In this blog we will examine open-source hints attributable to the threat actors, coupled with Team Cymru’s insights, to provide an assessment of Roaming Mantis’ current target base.

Landing Pages

When following a malicious link distributed in a Roaming Mantis smishing campaign, users are directed to a landing page. These pages are tailored specifically to a target country / language; users from other regions are presented with an error page (404 – resource not found).


Based on the user-agent information for the connecting device, one of two outcomes will occur:

  • For Android devices, a malicious APK (MoqHao) is downloaded. .

  • For Apple (iOS) devices, the user is presented with a phishing page where they are asked to enter credentials for a spoofed entity.

LANDING PAGE CHARACTERISTICS


To determine common characteristics of the infrastructure utilized for the hosting of Roaming Mantis landing pages, 43 IP addresses, which were observed hosting these pages since the beginning 2022, were analyzed. The following findings were true across all the IPs: .

  • The re-use of the same X.509 certificate (SHA1: 834024f91f67445a7fd1a98689cb3f49b4c3ade7), hosted on TCP/443. This certificate has a common name value of localhost and an alt name value which contains (at the time of reporting) 335 legitimate domains, summarized as follows:

  • Global brands, such as Google, PayPal, Tumblr, and YouTube.

  • South Korean entities, such as Naver and Daum.

  • ccTLDs for .kr (South Korea) and .tw (Taiwan).

  • A consistently observed JARM fingerprint (29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38).

  • Open ports; TCP/5985, TCP/10081, TCP/47001.

Passive scanning of TCP/10081 on the landing page hosting IPs indicated an additional HTTP service listening on this port. The HTML title value for this service provides useful insight into victim targeting, as summarized below.


HTML Title = 美国下载 (US Download)

142.0.136.49

142.0.136.50

142.0.136.52

142.4.97.105

142.4.97.106

142.4.97.107

142.4.97.108

142.4.97.109


HTML Title = 英国下载 (UK Download)

134.119.193.106

134.119.193.108

134.119.193.109

134.119.193.110

192.51.188.142

192.51.188.145

192.51.188.146


HTML Title = 韩国下载 (South Korea Download)

27.124.36.25

27.124.36.27

27.124.36.32

27.124.36.52

27.124.39.241

27.124.39.242

27.124.39.243


HTML Title = 日本下载 (Japan Download)

192.51.188.101

192.51.188.103

192.51.188.111

192.51.188.14

91.204.227.111

91.204.227.15

91.204.227.18

91.204.227.20

91.204.227.30

91.204.227.32

91.204.227.40


HTML Title = 德国下载 (Germany Download)

146.0.74.157

146.0.74.197

146.0.74.199

146.0.74.202

146.0.74.203

146.0.74.205

146.0.74.206

146.0.74.228


HTML Title = 法国下载 (France Download)

134.119.205.21

134.119.205.22


As can be seen, in addition to campaigns targeting France, Germany, Japan, South Korea, and the United States, infrastructure was set up for the specific targeting of UK-based users. This finding would indicate a further expansion of Roaming Mantis’ operations within Europe.

MoqHao Command & Control

In this section we will examine network telemetry relating to the connections made once the malicious APK (MoqHao) is installed on a victim Android device.


By examining this stage of the attack, it is possible to identify potential victims with a higher degree of certainty. This confidence is based on the chain of events leading to this point, i.e., a user has interacted with a link contained within an SMS message, visited a landing page, and the malicious APK has successfully been deployed on the user’s device to the point where it has begun to beacon to the C2 server.


The starting point for this part of the analysis was a MoqHao sample (SHA1: 74558f86e4b4513f7f52d6b99b7e06d978aec97b) uploaded to VirusTotal by a user in the United Kingdom on March 16, 2022.


Analysis of this sample identified a C2 server hosted on 103.249.28.207 (EHOSTICT, KR). Network telemetry for this IP revealed a small number of connections inbound on TCP/28866, sourced from IP addresses assigned to UK mobile providers.


In addition, 103.249.28.207 was observed as a C2 server in what appeared to be four further campaigns:

  • TCP/28866 – Spain, Turkey

  • TCP/29869 – South Africa

  • TCP/28844 – Afghanistan, Bangladesh, India, Iran, and Pakistan (South Asia)



Passive scanning of 103.249.28.207 identified open TCP/3389 (commonly associated with the Remote Desktop Protocol (RDP)), with a machine name of WIN-MM79JTRSTL7.


As an aside, screen captures of RDP activity on 103.249.28.207, sourced from Shodan, provided another ‘Chinese’ flag for this activity.


As recently as January 05, 2022, a remote login page was captured (associated with machine name WIN-MM79JTRSTL7), which indicated Chinese language settings – the characters 密码, meaning ‘password’ in Mandarin, were displayed.


Figure 3: Remote login portal for 103.249.28.207 (January 2022)


This login page was visible dating back to the end of 2020, all the time associated with the same machine name (WIN-MM79JTRSTL7). A screen capture from January 22, 2020, indicated Korean language settings – the characters 암호, meaning ‘password’ in Korean, were displayed.


Figure 4: Remote login portal for 103.249.28.207 (January 2020)


Given that 103.249.28.207 is assigned to a South Korean provider (Ehost IDC), the information from Shodan may be indicative of a Chinese-speaking user accessing / utilizing the machine since late 2020.


A pivot on the value WIN-MM79JTRSTL7 identified a further eight IP addresses, all assigned to EHOSTICT, KR, which were accessed by the same machine. Network telemetry data was obtained for these IPs for the beginning of 2022 onwards, where MoqHao campaigns were identified, they are referenced in Table 2 below

IP Address

C2 Port

Target Countries

103.249.28.206

37689

China, Hong Kong, Japan, Singapore, Taiwan

103.249.28.208

38866, 38876

Taiwan

103.249.28.209

28856

United States

103.249.28.210

N/A

No active campaigns

61.97.248.5

28836

Turkey

61.97.248.6

N/A

No active campaigns

61.97.248.7

N/A

No active campaigns

61.97.248.8

N/A

No active campaigns


In the case of 103.249.28.210, samples uploaded to VirusTotal in early 2021 provide an indication as to when it was an active MoqHao C2. For the remaining IPs it is not clear if they were previously MoqHao C2s. One possibility may be that they are being configured for future use.


Although not an exhaustive study of MoqHao C2 infrastructure, it is clear from the findings of this analysis and other findings from the community, that Roaming Mantis continue to expand their operations. What was previously considered to be a regional threat now has a global footprint.

Indicators of Compromise

MOQHAO C2 SERVERS

103.249.28.206 103.249.28.207 103.249.28.208 103.249.28.209 61.97.248.5


MOQHAO SAMPLE

74558f86e4b4513f7f52d6b99b7e06d978aec97b

bottom of page