Kaspersky has been investigating the actor’s activity throughout 2022, and have observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.

DNS hijacking is a fairly typical attack method. It allows the attacker to:

• Change the DNS lookup settings. This can be performed by changing the configuration file, or by altering the registry in Windows-based systems. In Android-based devices, this can be done by intercepting a DNS query through DNS spoofing and redirection; • Communicate with malware that is installed on the infected device without being blocked; • Perform man-in-the-middle attacks in order to more easily get valid one-time passwords from users; • Block access to websites which are under attack.

The DNS changer implemented by the attackers in Wroba.o/Agent.eq facilitates the DNS hijacking aspect of the attack, whilst at the same time launching exploits against vulnerabilities in routers and Wi-Fi access points.

In this attack scenario, the malware is delivered to devices via a malicious applications, which users can install as an app developed by a Chinese company. After installation, it scans for nearby Wi-Fi networks and launches attacks against vulnerable devices on these networks.

‍

Source: DNS changer in malicious mobile app used by Roaming Mantis - AlienVault - Open Threat Exchange