1. Home
  2. Techniques
  3. Mobile
  4. Ingress Tool Transfer

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

ID: T1544
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 2.2
Created: 21 January 2020
Last Modified: 14 August 2023
Version Permalink

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can receive files from the C2 at runtime.[1]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.[2]

S1083 Chameleon

Chameleon can download HTML overlay pages after installation.[3]
S0485 Mandrake

Mandrake can install attacker-specified components or applications.[4]
S0407 Monokle

Monokle can download attacker-specified files.[5]

S1126 Phenakite

Phenakite can download additional malware to the victim device.[6]

S0326 RedDrop

RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.[7]

S1055 SharkBot

SharkBot can download attacker-specified files.[8]
S1082 Sunbird

Sunbird can download adversary specified content from FTP shares.[9]
S0418 ViceLeaker

ViceLeaker can download attacker-specified files.[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Application vetting services could look for connections to unknown domains or IP addresses.

Permissions Requests

Application vetting services may indicate precisely what content was requested during application execution.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  3. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  4. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  5. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  1. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.
  2. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
  3. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  4. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  5. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.