1. Home
  2. Techniques
  3. Mobile
  4. Encrypted Channel
  5. Symmetric Cryptography

Encrypted Channel: Symmetric Cryptography

ID Name
T1521.001 Symmetric Cryptography
T1521.002 Asymmetric Cryptography
T1521.003 SSL Pinning

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.

ID: T1521.001
Sub-technique of:  T1521
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 1.0
Created: 05 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0033 C0033

During C0033, PROMETHIUM used StrongPity to encrypt C2 communication using AES.[1]

S0478 EventBot

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[2]
C0054 Operation Triangulation

During Operation Triangulation, the threat actors used 3DES and AES to encrypt C2 communication and data.[3][4]

S0411 Rotexy

Rotexy encrypts JSON HTTP payloads with AES.[5]

S1055 SharkBot

SharkBot can use RC4 to encrypt C2 payloads.[6]
S1216 TriangleDB

TriangleDB has encrypted data using 3DES.[3]

G0112 Windshift

Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0650 Detection of Symmetric Cryptography AN1731

An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality.
AN1732

Indirect evidence of symmetric cryptographic channel usage inferred through repeated structured encrypted network transmissions and background processing patterns, where direct observation of symmetric crypto operations is limited. Detection correlates application background execution + consistent encrypted payload patterns + app entitlement posture to identify misuse of symmetric encryption for command and control.

References

  1. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  2. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  3. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.
  4. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.
  1. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  2. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a β€œnew” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  3. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.