Roaming Mantis: Real-Time Case Study in Compromised Public WiFi


The longer you go without being negatively impacted by a data breach, it’s natural to become more blasé with some of the routine steps you take to secure your devices. For example, we all use public WiFi when we’re out of the house to quickly look something up, even though we know it’s not as safe as using our locked, private home network.

It’s important to keep in mind the very real dangerous associated with public WiFi, because anyone could be using it. If someone has the talent and inclination, they could inflict some real damage to others that use the same open network.

Attacking DNS Changer Functionality

January 19th, researchers discovered malware in what’s called a domain name system changer functionality.

DNS changer is a computer tool that enables users to change the DNS settings of their system or network. You can make changes to your settings in order to access different websites, as well as for troubleshooting purposes. By changing the DNS settings, users can access websites faster, block malicious domains and avoid being tracked by third parties. DNS changers can additionally set up custom domains or redirect traffic from one website to another. With this powerful tool, users can have greater control over their online experience.

When weaponized, though, a malicious changer program will redirect other devices on the compromised network over to a server that the hacker controls. That may include setting up fake landing pages, downloading malicious files, and ultimately losing control of your accounts and even your whole device!

Roaming Mantis Strikes Hard

A new DNS changer functionality was discovered recently, belonging to a cyber-threat group called the Roaming Mantis. The hacker group was first discovered back in 2018, but their latest malware is back and targeting particular router manufacturers. The exploit, known as Wroba.o malware, finds and secures the target router’s IP address, which is basically its geographic individual identifier, to find out the model so that it can effectively take over.

Although the group is operating in South Korea for now, cyber-threats easily spread once the Dark Web community decides to latch on. The Wroba.o malware was already discovered in France, the U.S. and Japan in just the last quarter of 2022.


Roaming Mantis has a tendency to target specific routers because they know how to get past the default settings. People often do not change these foundational logins when they first get a device, but that’s exactly what cybercriminals are depending on! You should carefully protect the admin account details for your router and maintain vetted, updated firmware.

Routinely check that your router hasn’t been compromised! Your Internet Service Provider (ISP) can check that your DNS settings remain as they should be. On the day-to-day, don’t let your guard down just because you haven’t been compromised yet. New, unexpected cyber-threats could be just around the corner.


Related Posts