1. Home
  2. Groups
  3. APT-C-23

APT-C-23

APT-C-23 is a threat group that has been active since at least 2014.[1] APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.[2]

ID: G1028
Associated Groups: Mantis, Arid Viper, Desert Falcon, TAG-63, Grey Karkadann, Big Bang APT, Two-tailed Scorpion
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 26 March 2024
Last Modified: 16 April 2024
Version Permalink

Associated Group Descriptions

Name Description
Mantis

[1][3]
Arid Viper

[2][3][4]
Desert Falcon

[2][3][4]
Grey Karkadann

[3]
Big Bang APT

[5]

Two-tailed Scorpion

[2]
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

APT-C-23 has masqueraded malware as legitimate applications.[2][6][7]
Mobile T1660 Phishing

APT-C-23 sends malicious links to victims to download the masqueraded application.[7][6]

Mobile T1422 System Network Configuration Discovery

APT-C-23 can collect the victim’s phone number, device information, IMSI, etc.[6]

Software

ID Name References Techniques
S0505 Desert Scorpion Archive Collected Data, Audio Capture, Data from Local System, Download New Code at Runtime, File and Directory Discovery, Hide Artifacts: Suppress Application Icon, Indicator Removal on Host: File Deletion, Location Tracking, Out of Band Data, Protected User Data: SMS Messages, Protected User Data: Contact List, SMS Control, Software Discovery, Stored Application Data, Subvert Trust Controls: Code Signing Policy Modification, System Information Discovery, Video Capture
S0577 FrozenCell Archive Collected Data, Audio Capture, Data from Local System, Download New Code at Runtime, File and Directory Discovery, Location Tracking, Masquerading: Match Legitimate Name or Location, Protected User Data: SMS Messages, Stored Application Data, System Information Discovery, System Network Configuration Discovery
S0339 Micropsia Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Audio Capture, Automated Collection, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Encrypted/Encoded File, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S1126 Phenakite [3][4] Audio Capture, Data from Local System, Exploitation for Privilege Escalation, Ingress Tool Transfer, Input Capture, Masquerading: Match Legitimate Name or Location, Protected User Data: SMS Messages, Protected User Data: Contact List, System Information Discovery, Video Capture

References

  1. Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.
  2. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  3. Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.
  4. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.
  1. Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.
  2. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.
  3. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.