Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.[1]

ID: T1437
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Command And Control, Exfiltration
Platforms: Android, iOS
MTC ID: APP-29
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Procedure Examples

ID Name Description
S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.[2]

S0304 Android/Chuli.A

Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.[3]

S0540 Asacub

Asacub has communicated with the C2 using HTTP POST requests.[4]

S0432 Bread

Bread communicates with the C2 server using HTTP requests.[5]

S0480 Cerberus

Cerberus communicates with the C2 server using HTTP.[6]

S0555 CHEMISTGAMES

CHEMISTGAMES has used HTTPS for C2 communication.[7]

S0426 Concipit1248

Concipit1248 communicates with the C2 server using HTTP requests.[8]

S0425 Corona Updates

Corona Updates communicates with the C2 server using HTTP requests and has exfiltrated data using FTP.[8]

G0070 Dark Caracal

Dark Caracal controls implants using standard HTTP communication.[9]

S0479 DEFENSOR ID

DEFENSOR ID has used Firebase Cloud Messaging for C2.[10]

S0550 DoubleAgent

DoubleAgent has used both FTP and TCP sockets for data exfiltration.[11]

S0507 eSurv

eSurv has exfiltrated data using HTTP PUT requests.[12]

S0478 EventBot

EventBot communicates with the C2 using HTTP requests.[13]

S0522 Exobot

Exobot has used HTTPS for C2 communication.[14]

S0405 Exodus

Exodus One checks in with the command and control server using HTTP POST requests.[15]

S0509 FakeSpy

FakeSpy exfiltrates data using HTTP requests.[16]

S0535 Golden Cup

Golden Cup has communicated with the C2 using MQTT and HTTP.[17]

S0551 GoldenEagle

GoldenEagle has exfiltrated data via both SMTP and HTTP and used HTTP POST requests for C2.[11]

S0421 GolfSpy

GolfSpy exfiltrates data using HTTP POST requests.[18]

S0536 GPlayed

GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.[19]

S0406 Gustuff

Gustuff communicates with the command and control server using HTTP requests.[20]

S0463 INSOMNIA

INSOMNIA communicates with the C2 server using HTTPS requests.[21]

S0399 Pallas

Pallas exfiltrates data using HTTP.[9]

S0539 Red Alert 2.0

Red Alert 2.0 has communicated with the C2 using HTTP.[22]

S0326 RedDrop

RedDrop uses standard HTTP for communication and exfiltration.[23]

S0403 Riltok

Riltok communicates with the command and control server using HTTP requests.[24]

S0411 Rotexy

Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.[25]

S0313 RuMMS

RuMMS uses HTTP for command and control.[26]

S0549 SilkBean

SilkBean has used HTTPS for C2 communication.[11]

S0327 Skygofree

Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.[27]

S0424 Triada

Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[28]

S0427 TrickMo

TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.[29]

S0307 Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.[1]

S0306 Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.[1]

S0308 Trojan-SMS.AndroidOS.OpFake.a

Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.[1]

S0418 ViceLeaker

ViceLeaker uses HTTP for C2 communication and data exfiltration.[30][31]

S0490 XLoader for iOS

XLoader for iOS has exfiltrated data using HTTP requests.[32]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

  1. Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.
  2. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  3. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  4. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  5. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  6. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
  7. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  8. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  9. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  10. L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.
  11. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  12. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  13. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  14. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  15. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  16. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  1. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  2. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  3. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  4. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  5. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
  6. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  7. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
  8. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  9. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  10. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
  11. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
  12. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  13. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  14. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  15. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.
  16. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.