MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

Published on

Published on

Published on

Dec 5, 2024

Dec 5, 2024

Dec 5, 2024

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
TABLE OF CONTENTS

MoqHao, also known as Wroba and XLoader, is a mobile malware family linked to Roaming Mantis, a cybercrime group believed to be operating out of China. Malicious payloads are usually delivered through "Smishing" attacks or SMS phishing targeting mobile devices. 

This analysis began when one of our researchers received a suspicious text message in Japanese warning of a missed delivery attempt, accompanied by a shortened URL. What was initially believed to be another spam message was part of a MoqHao campaign. 

In this post, we'll examine the delivery mechanisms and infrastructure used in this operation and offer insights into how MoqHao continues to target mobile users employing tactics not previously associated with the group.

Missed Delivery, Found Malware

Spam messages are annoying and easy to ignore. We usually delete them without a second thought. However, curiosity got the best of us in this case, and we decided to take a closer look.

The message received on November 21st was written in Japanese and claimed a failed package delivery attempt. With no supposed company name or tracking number, the text was generic and lacked any elements to lend credibility. After rereading the message, we noticed linguistic inconsistencies--hiragana was used for words typically written in Kanji, suggesting the composer is not a native Japanese speaker.

The supposed delivery notification was accompanied by a shortened URL: https://t[.]co/MQN7PEGZn2, hosted on X/Twitter.

Figure 1: The initial text message received by one of our researchers containing the suspicious shortened URL.

These details pointed to what seemed like everyday spam being part of a more organized campaign linked to the MoqHao malware. A closer analysis of the included URL revealed how the operators targeted Android and iOS users, leading to a deeper understanding of this campaign's methods and tactics.

URL & Infrastructure Analysis

We would never advise analyzing a suspicious URL directly on your mobile device, even if you have advanced security features enabled, so we opted to leverage urlscan.io to assist our research.  Using the default settings (User Agent--Google Chrome, Windows 10), our initial scan led to a 404 error page. However, within the error message was our first clue to the link's true destination: http://zmptwh.hvhrg[.]xyz

Figure 2: Screenshot of the 404 page containing another suspicious domain (Source: urlscan).

Not to be deterred, we decided to switch user agents and emulate an iPhone, mirroring the device that received the text message. Conducting the scan from Japan, the results revealed a phishing page mimicking an Apple ID login portal. The title of the page, "お客様のApple ID - Appleを管理," translates to "Your Apple ID" or "Customer Apple ID - Manage Apple."

This webpage intended to steal user credentials was hosted at http://nhcwtnidxz[.]duckdns.org/ja, resolving to the IP address 103.80.134[.]11. Interestingly, scans from different countries adjusted the URL to match the respective language, appending the appropriate country code (e.g., /en for the United States). 

Figure 3: Malicious Apple ID login page (Source: urlscan).

After inputting the Apple ID, the user is prompted to enter their password. The first attempt is set to always result in an error message indicating the password was incorrect. On the second try, the user is redirected to the legitimate Apple account page, likely to create an illusion of legitimacy while the credentials are captured.

So far, this infrastructure demonstrates the operators' efforts to localize their malicious web pages based on the user's region rather than relying on a single, static page in one language for all visitors. 

The inclusion of country-specific URLs, such as those listed above, in addition to using a 404 response for desktop operating systems while serving phishing content to mobile devices, highlights a deliberate attempt to tailor the campaign while avoiding unnecessary scrutiny. 

To further explore, we again adjusted the user agent--this time emulating an Android device--to observe any differences in response. 

When we access the link as an Android device, we are served not only a blank webpage but a direct download of a file: Chrome_up1732156036129.apk (SHA256: 958c51388770404cf1ddb320263125b5694a0691c5c6755e21ea61db968bef63). The file name, designed to mimic a legitimate Google Chrome update, is flagged as malicious by 12 vendors on VirusTotal at the time of writing.

Figure 4: Urlscan summary page when posing as an Android device (Source: urlscan).

Reviewing the HTTP traffic reveals an additional DuckDNS domain, https://jwvijnxshs.duckdns[.]org/?tyhyfzy, resolving to 91.240.226[.]171. Users accessing the link are redirected multiple times, including through the previously observed domain zmptwh.hvhrg[.]xyz, now with a different path: /?lHZrP. Combined with a dynamic payload delivery, these redirections indicate a layered approach to distributing the malware and using multiple servers to keep defenders guessing.

Figure 5: HTTP summary showing the redirect chain eventually downloading the malicious APK (Source: urlscan).

Querying 91.240.226[.]171 in Hunt shows that it is hosted on the LG DACOM Corporation network in South Korea. The IP is also associated with several DuckDNS subdomains and at least one .xyz domain, exposing the operator's reliance on dynamic DNS services and disposable infrastructure to facilitate their campaign.

Figure 6: Overview of domains resolving to 103.80.134[.]11 in Hunt.

Dynamic DNS services allow the operators to quickly replace or update domains as needed, ensuring continued operation even if specific domains are flagged or blocked. The randomized subdomain names and varying top-level domains (TLDs) further obscure attribution efforts and complicate network-based defenses.

With a malicious APK identified, the next section will explore its delivery mechanisms and network communications, shedding light on how it interacts with the target device and the command and control infrastructure.

Network Communications

As shown in Figure 4, the malicious APK file is downloaded from cvws.icloud-content[.]com. This is not a spoofed domain but legitimate Apple infrastructure, which the operators abuse to host and distribute the malware.

Notably, a payload targeting Android devices---a long-standing focus of Roaming Mantis campaigns---is being delivered through Apple's services, further highlighting the group's adaptability to testing out new techniques and hiding from defenders.

The full download URL is:

https://cvws.icloud-content[.]com/B/Af0EuTgWpFmatpizAFV4JbyCGRaWAfRSlrRzELSIKdZnY571fbYBaccN/Chrome_up1732156036129.apk?o=AqmizYalfRfu35XmqKqHpY8BHoTn_7tIVbrU2toKX2p6&v=1&x=3&a=CAogmVM7aE69-Xg4frwc9xGuEqKPcWhKETM-8QdFv2Y86O4SaxD2maTytDIY9vb_87QyIgEAUgSCGRaWWgQBaccNaiXytrCUgu-AX1Yxl4C2BCLtIRTzOCvFvHZdZeJ3oCq2s2SLNwOJciWfZaTWZet7wNA1XMTDo4MCN4VvZQKrWDhnAksqNeoeDkG2iDbP&e=1732188830&fl=&r=9ec11f15-70ca-4b63-bd7d-6d320fd35e67-1&k=M09nF93_LE9B3NNe5Zd-Rw&ckc=com.apple.clouddocs&ckz=com.apple.CloudDocs&p=122&s=myCbWNxTHqFARpZHuE0J01eS9CE

As previously reported in other MoqHao campaigns, the operators encode the actual command-and-control (C2) address within a user profile page on a social media platform. In this instance, an HTTP GET request is made to m.vk[.]com/id730149630?act=info. VK, a Russian social media and networking platform, is being abused as an intermediary to obscure the C2 server.

Figure 7: Malicious VK user profile page obfuscating the real C2 address.

Analyzing the sample in Triage reveals that, after contacting VK, the malware initiates communication with 91.204.226[.]54 on port 28899. This IP is strikingly similar to the previously identified malware staging server, suggesting a connection between the two. While also hosted in South Korea, this server is on the HDTIDC LIMITED network rather than LG DACOM, indicating the use of multiple hosting providers to support the campaign's infrastructure.

Figure 8: Snippet of HTTP traffic for the fake Chrome update APK (Source: Triage).

Conclusion

MoqHao continues to evolve, employing tactics that span SMS phishing, malicious APK delivery, and localized Apple ID phishing pages. The operators demonstrate adaptability and a focus on resilience by abusing trusted services like Apple's iCloud and VK alongside dynamic infrastructure such as DuckDNS subdomains. Their ability to target Android and iOS users with tailored methods underscores the importance of vigilance when handling unsolicited messages.

To stay safe, users should remain cautious of unsolicited messages, avoid clicking on unknown links, and rely on trusted app stores for downloads. Installing reputable security software can add an extra layer of protection to detect and block malicious activities on mobile devices.

Network Observables

IP Address ASNDomainsNotes
91.204.226[.]54HDTIDC LIMITED.N/AMoqHao Command-and-Control Server.
103.80.134[.]11LG DACOM Corporationnhcwtnidxz.duckdns[.]orgApple ID Phishing Infrastructure.
91.204.226.166LUCIDACLOUD LIMITEDzmptwh.hvhrg[.]xyzHTTP 404 page & redirect to payload download.
91.204.226[.]171HDTIDC LIMITEDjwvijnxshs.duckdns[.]orgDownloads MoqHao from iCloud account.
TABLE OF CONTENTS

MoqHao, also known as Wroba and XLoader, is a mobile malware family linked to Roaming Mantis, a cybercrime group believed to be operating out of China. Malicious payloads are usually delivered through "Smishing" attacks or SMS phishing targeting mobile devices. 

This analysis began when one of our researchers received a suspicious text message in Japanese warning of a missed delivery attempt, accompanied by a shortened URL. What was initially believed to be another spam message was part of a MoqHao campaign. 

In this post, we'll examine the delivery mechanisms and infrastructure used in this operation and offer insights into how MoqHao continues to target mobile users employing tactics not previously associated with the group.

Missed Delivery, Found Malware

Spam messages are annoying and easy to ignore. We usually delete them without a second thought. However, curiosity got the best of us in this case, and we decided to take a closer look.

The message received on November 21st was written in Japanese and claimed a failed package delivery attempt. With no supposed company name or tracking number, the text was generic and lacked any elements to lend credibility. After rereading the message, we noticed linguistic inconsistencies--hiragana was used for words typically written in Kanji, suggesting the composer is not a native Japanese speaker.

The supposed delivery notification was accompanied by a shortened URL: https://t[.]co/MQN7PEGZn2, hosted on X/Twitter.

Figure 1: The initial text message received by one of our researchers containing the suspicious shortened URL.

These details pointed to what seemed like everyday spam being part of a more organized campaign linked to the MoqHao malware. A closer analysis of the included URL revealed how the operators targeted Android and iOS users, leading to a deeper understanding of this campaign's methods and tactics.

URL & Infrastructure Analysis

We would never advise analyzing a suspicious URL directly on your mobile device, even if you have advanced security features enabled, so we opted to leverage urlscan.io to assist our research.  Using the default settings (User Agent--Google Chrome, Windows 10), our initial scan led to a 404 error page. However, within the error message was our first clue to the link's true destination: http://zmptwh.hvhrg[.]xyz

Figure 2: Screenshot of the 404 page containing another suspicious domain (Source: urlscan).

Not to be deterred, we decided to switch user agents and emulate an iPhone, mirroring the device that received the text message. Conducting the scan from Japan, the results revealed a phishing page mimicking an Apple ID login portal. The title of the page, "お客様のApple ID - Appleを管理," translates to "Your Apple ID" or "Customer Apple ID - Manage Apple."

This webpage intended to steal user credentials was hosted at http://nhcwtnidxz[.]duckdns.org/ja, resolving to the IP address 103.80.134[.]11. Interestingly, scans from different countries adjusted the URL to match the respective language, appending the appropriate country code (e.g., /en for the United States). 

Figure 3: Malicious Apple ID login page (Source: urlscan).

After inputting the Apple ID, the user is prompted to enter their password. The first attempt is set to always result in an error message indicating the password was incorrect. On the second try, the user is redirected to the legitimate Apple account page, likely to create an illusion of legitimacy while the credentials are captured.

So far, this infrastructure demonstrates the operators' efforts to localize their malicious web pages based on the user's region rather than relying on a single, static page in one language for all visitors. 

The inclusion of country-specific URLs, such as those listed above, in addition to using a 404 response for desktop operating systems while serving phishing content to mobile devices, highlights a deliberate attempt to tailor the campaign while avoiding unnecessary scrutiny. 

To further explore, we again adjusted the user agent--this time emulating an Android device--to observe any differences in response. 

When we access the link as an Android device, we are served not only a blank webpage but a direct download of a file: Chrome_up1732156036129.apk (SHA256: 958c51388770404cf1ddb320263125b5694a0691c5c6755e21ea61db968bef63). The file name, designed to mimic a legitimate Google Chrome update, is flagged as malicious by 12 vendors on VirusTotal at the time of writing.

Figure 4: Urlscan summary page when posing as an Android device (Source: urlscan).

Reviewing the HTTP traffic reveals an additional DuckDNS domain, https://jwvijnxshs.duckdns[.]org/?tyhyfzy, resolving to 91.240.226[.]171. Users accessing the link are redirected multiple times, including through the previously observed domain zmptwh.hvhrg[.]xyz, now with a different path: /?lHZrP. Combined with a dynamic payload delivery, these redirections indicate a layered approach to distributing the malware and using multiple servers to keep defenders guessing.

Figure 5: HTTP summary showing the redirect chain eventually downloading the malicious APK (Source: urlscan).

Querying 91.240.226[.]171 in Hunt shows that it is hosted on the LG DACOM Corporation network in South Korea. The IP is also associated with several DuckDNS subdomains and at least one .xyz domain, exposing the operator's reliance on dynamic DNS services and disposable infrastructure to facilitate their campaign.

Figure 6: Overview of domains resolving to 103.80.134[.]11 in Hunt.

Dynamic DNS services allow the operators to quickly replace or update domains as needed, ensuring continued operation even if specific domains are flagged or blocked. The randomized subdomain names and varying top-level domains (TLDs) further obscure attribution efforts and complicate network-based defenses.

With a malicious APK identified, the next section will explore its delivery mechanisms and network communications, shedding light on how it interacts with the target device and the command and control infrastructure.

Network Communications

As shown in Figure 4, the malicious APK file is downloaded from cvws.icloud-content[.]com. This is not a spoofed domain but legitimate Apple infrastructure, which the operators abuse to host and distribute the malware.

Notably, a payload targeting Android devices---a long-standing focus of Roaming Mantis campaigns---is being delivered through Apple's services, further highlighting the group's adaptability to testing out new techniques and hiding from defenders.

The full download URL is:

https://cvws.icloud-content[.]com/B/Af0EuTgWpFmatpizAFV4JbyCGRaWAfRSlrRzELSIKdZnY571fbYBaccN/Chrome_up1732156036129.apk?o=AqmizYalfRfu35XmqKqHpY8BHoTn_7tIVbrU2toKX2p6&v=1&x=3&a=CAogmVM7aE69-Xg4frwc9xGuEqKPcWhKETM-8QdFv2Y86O4SaxD2maTytDIY9vb_87QyIgEAUgSCGRaWWgQBaccNaiXytrCUgu-AX1Yxl4C2BCLtIRTzOCvFvHZdZeJ3oCq2s2SLNwOJciWfZaTWZet7wNA1XMTDo4MCN4VvZQKrWDhnAksqNeoeDkG2iDbP&e=1732188830&fl=&r=9ec11f15-70ca-4b63-bd7d-6d320fd35e67-1&k=M09nF93_LE9B3NNe5Zd-Rw&ckc=com.apple.clouddocs&ckz=com.apple.CloudDocs&p=122&s=myCbWNxTHqFARpZHuE0J01eS9CE

As previously reported in other MoqHao campaigns, the operators encode the actual command-and-control (C2) address within a user profile page on a social media platform. In this instance, an HTTP GET request is made to m.vk[.]com/id730149630?act=info. VK, a Russian social media and networking platform, is being abused as an intermediary to obscure the C2 server.

Figure 7: Malicious VK user profile page obfuscating the real C2 address.

Analyzing the sample in Triage reveals that, after contacting VK, the malware initiates communication with 91.204.226[.]54 on port 28899. This IP is strikingly similar to the previously identified malware staging server, suggesting a connection between the two. While also hosted in South Korea, this server is on the HDTIDC LIMITED network rather than LG DACOM, indicating the use of multiple hosting providers to support the campaign's infrastructure.

Figure 8: Snippet of HTTP traffic for the fake Chrome update APK (Source: Triage).

Conclusion

MoqHao continues to evolve, employing tactics that span SMS phishing, malicious APK delivery, and localized Apple ID phishing pages. The operators demonstrate adaptability and a focus on resilience by abusing trusted services like Apple's iCloud and VK alongside dynamic infrastructure such as DuckDNS subdomains. Their ability to target Android and iOS users with tailored methods underscores the importance of vigilance when handling unsolicited messages.

To stay safe, users should remain cautious of unsolicited messages, avoid clicking on unknown links, and rely on trusted app stores for downloads. Installing reputable security software can add an extra layer of protection to detect and block malicious activities on mobile devices.

Network Observables

IP Address ASNDomainsNotes
91.204.226[.]54HDTIDC LIMITED.N/AMoqHao Command-and-Control Server.
103.80.134[.]11LG DACOM Corporationnhcwtnidxz.duckdns[.]orgApple ID Phishing Infrastructure.
91.204.226.166LUCIDACLOUD LIMITEDzmptwh.hvhrg[.]xyzHTTP 404 page & redirect to payload download.
91.204.226[.]171HDTIDC LIMITEDjwvijnxshs.duckdns[.]orgDownloads MoqHao from iCloud account.

Related Posts:

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...