DCHSpy
DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | Application Layer Protocol |
DCHSpy has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.[1] |
|
| Mobile | T1532 | Archive Collected Data |
DCHSpy has compressed and encrypted collected data with a password from the C2 server.[1] |
|
| Mobile | T1429 | Audio Capture |
DCHSpy has captured audio from the device by taking control of the microphone.[1] |
|
| Mobile | T1533 | Data from Local System |
DCHSpy has collected files of interest on the device, including WhatsApp files.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
DCHSpy has masqueraded as legitimate applications, such as VPN and banking applications.[1] |
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .003 | Protected User Data: Contact List | |||
| .004 | Protected User Data: SMS Messages |
DCHSpy has accessed the device’s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.[1] |
||
| .005 | Protected User Data: Accounts |
DCHSpy has collected account names and their types from the device.[1] |
||
| Mobile | T1409 | Stored Application Data |
DCHSpy has collected files of interest on the device, including WhatsApp files.[1] |
|
| Mobile | T1512 | Video Capture |
DCHSpy has captured photos from the device by taking control of the camera.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater |