TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1407 | Download New Code at Runtime |
TERRACOTTA can download additional modules at runtime via JavaScript |
|
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
TERRACOTTA has registered several broadcast receivers.[1] |
| Mobile | T1541 | Foreground Persistence |
TERRACOTTA has utilized foreground services.[1] |
|
| Mobile | T1643 | Generate Traffic from Victim |
TERRACOTTA has generated non-human advertising impressions.[1] |
|
| Mobile | T1417 | .002 | Input Capture: GUI Input Capture |
TERRACOTTA has displayed a form to collect user data after installation.[1] |
| Mobile | T1516 | Input Injection |
TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.[1] |
|
| Mobile | T1575 | Native API |
TERRACOTTA has included native modules.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
TERRACOTTA has stored encoded strings.[1] |
|
| Mobile | T1603 | Scheduled Task/Job |
TERRACOTTA has used timer events in React Native to initiate the foreground service.[1] |
|
| Mobile | T1582 | SMS Control |
TERRACOTTA can send SMS messages.[1] |
|
| Mobile | T1418 | Software Discovery |
TERRACOTTA can obtain a list of installed apps.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[1] |
|
| .001 | Internet Connection Discovery |
TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[1] |
||
| Mobile | T1633 | .001 | Virtualization/Sandbox Evasion: System Checks |
TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings[1]. |
| Mobile | T1481 | .002 | Web Service: Bidirectional Communication |
TERRACOTTA has used Firebase for C2 communication.[1] |