A group of Chinese hackers called Roaming Mantis is carrying out a phishing campaign in France through texts claiming to have received a package.
A group of Chinese hackers has launched a sophisticated SMS phishing campaign on French soil. As many as 70,000 Android devices are believed to have been infected by the attackers. The operation was spotted by Sekoia, a company specializing in cyber, which detailed the methods used by hackers in a report published on July 18.
The group of hackers, known as “Roaming Mantis” – is already behind numerous data collection campaigns against European citizens. This time the hackers sent a reported phishing SMS “ Your package has been sent. Please check it and receive it with a fraudulent link. Once the victim visits this URL, the page offers them an update to their web browser to discreetly install the malware. Note that the malware is only activated if the user is in France, on the contrary a message “404 not found” is displayed.
Specialists in bank data theft
Once downloaded, the malicious software called MoqHao, a pure product of Roaming Mantis hackers, infiltrates the smartphone and will automatically collect information on the trapped device. Sekoia researchers even found that the attackers were sending booby-trapped text messages from already infected smartphones. ” We traced one of the numbers used to send phishing text messages, it was an average person whose phone was hijacked without them realizing it » tells us Quentin Bourgue, cyber engineer at Sekoia. The latter traced the fraudulent message to the hackers, after having received the famous text message himself.
” We think they are financially motivated. The group steals a massive amount of data from individuals, but we do not yet know the ultimate interest. It can be the sale of data, a first act before another more advanced step “.
Roaming Mantis is an actor identified since 2017 by McAfee, which has never ceased to be active since. The methods also have not changed. The group of hackers started with phishing campaigns by SMS in South Korea, then in Japan to expand to Europe for a year. The stolen data is often bank identifiers, so be careful not to accidentally click on any questionable SMS.