CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]

ID: S0555
Platforms: Android
Version: 1.0
Created: 31 December 2020
Last Modified: 25 March 2021

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

CHEMISTGAMES has used HTTPS for C2 communication.[1]

Mobile T1623 .001 Command and Scripting Interpreter: Unix Shell

CHEMISTGAMES can run bash commands.[1]

Mobile T1533 Data from Local System

CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.[1]

Mobile T1407 Download New Code at Runtime

CHEMISTGAMES can download new modules while running.[1]

Mobile T1521 .002 Encrypted Channel: Asymmetric Cryptography

CHEMISTGAMES has used HTTPS for C2 communication.[1]

Mobile T1430 Location Tracking

CHEMISTGAMES has collected the device’s location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

CHEMISTGAMES has masqueraded as popular South Korean applications.[1]

Mobile T1575 Native API

CHEMISTGAMES has utilized native code to decrypt its malicious payload.[1]

Mobile T1406 Obfuscated Files or Information

CHEMISTGAMES has encrypted its DEX payload.[1]

Mobile T1474 .003 Supply Chain Compromise: Compromise Software Supply Chain

CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[1]

Mobile T1426 System Information Discovery

CHEMISTGAMES has fingerprinted devices to uniquely identify them.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team