Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
Red Alert 2.0 can request device administrator permissions.[1] |
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
Red Alert 2.0 has communicated with the C2 using HTTP.[1] |
| Mobile | T1407 | Download New Code at Runtime |
Red Alert 2.0 can download additional overlay templates.[1] |
|
| Mobile | T1417 | .002 | Input Capture: GUI Input Capture |
Red Alert 2.0 has used malicious overlays to collect banking credentials.[1] |
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.[1] |
| Mobile | T1509 | Non-Standard Port |
Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
Red Alert 2.0 has stored data embedded in the strings.xml resource file.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log |
Red Alert 2.0 can collect the device’s call log.[1] |
| .003 | Protected User Data: Contact List |
Red Alert 2.0 can collect the device’s contact list.[1] |
||
| .004 | Protected User Data: SMS Messages |
Red Alert 2.0 can collect SMS messages.[1] |
||
| Mobile | T1582 | SMS Control |
Red Alert 2.0 can send SMS messages.[1] |
|
| Mobile | T1418 | Software Discovery |
Red Alert 2.0 can obtain the running application.[1] |
|
| Mobile | T1481 | .001 | Web Service: Dead Drop Resolver |
Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[1] |