Tue. Jun 2nd, 2020

Hackers use malicious content delivery system to target iOS device

2 min read

The latest report from Kaspersky Lab research team shows that a hacker group called the roaming group started attacking iOS devices to load online mining scripts.

The roaming group that was first discovered at the beginning of the year maintained rapid changes and development. The primary attack method was to attack the router to tamper with the DNS server settings.

The purpose of tampering with the server is to guide the user to the phishing website to steal the Apple account and password and then successfully lock the iOS device to claim the ransom.

Start testing with iOS equipment mining:

It is unclear whether the phishing attack is not high or what causes it. The roaming group began testing the iOS device to load the mining script to mine.

When the user is redirected to the web page carrying the mining script, the processor load dashes. Of course, the user can stop the online mining by merely closing the browser.

This situation will be restored to the phishing website after a few days of testing. It seems that only the roaming group is testing to maximize the revenue.

Off-topic: The performance of mobile devices including iOS devices is not enough for mining, so users should not try to mine with mobile phones.


Automatically block Japanese user access:

Interestingly, the roaming group was first discovered by Japanese researchers, so that the hacker group now directly shields Japanese users from phishing access.

When the web page detects that the language set by the user device is Japanese, the mining operation will not be performed, and the user will not be redirected to the Apple account phishing website.

This roaming group is estimated to be worried about Japanese researchers continuing to follow up and chose to block automatically, but Kaspersky has successfully caught up with them.

Traffic malicious ads to infect Windows and Android devices:

Although the primary attack method of the roaming group is to tamper with the DNS server settings through the router, the router is infected by malware.

The hacker group does not use the Internet of Things worm such as MIRAI to infect but relies on pornography to induce users to download Trojan viruses.

If the user, unfortunately, believes that the virus will infect the pornographic ads, the virus will then affect the router device through the intranet to try the router’s vulnerability.