From 11a27df82db83d1076fd194dc5ff014a8f85cad1 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 12 Oct 2018 15:50:52 +0200
Subject: [PATCH] add roaming mantis group

---
 clusters/threat-actor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9c93c86..68f0bc2 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5928,7 +5928,20 @@
       ],
       "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
       "value": "FASTCash"
+    },
+    {
+      "description": "According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials.\nRecently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/"
+        ],
+        "synonyms": [
+          "Roaming Mantis Group"
+        ]
+      },
+      "uuid": "b27beb94-ce25-11e8-8e11-2f1a59bd0e91",
+      "value": "Roaming Mantis"
     }
   ],
-  "version": 70
+  "version": 71
 }