S0399 Pallas
Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.1
| Item | Value |
|---|---|
| ID | S0399 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 10 July 2019 |
| Last Modified | 18 September 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | Pallas captures audio from the device microphone.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Pallas exfiltrates data using HTTP.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Pallas has the ability to delete attacker-specified files from compromised devices.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | Pallas uses phishing popups to harvest user credentials.1 |
| mobile | T1430 | Location Tracking | Pallas tracks the latitude and longitude coordinates of the infected device.1 |
| mobile | T1406 | Obfuscated Files or Information | Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | Pallas accesses and exfiltrates the call log.1 |
| mobile | T1636.003 | Contact List | Pallas accesses the device contact list.1 |
| mobile | T1636.004 | SMS Messages | Pallas captures and exfiltrates all SMS messages, including future messages as they are received.1 |
| mobile | T1418 | Software Discovery | Pallas retrieves a list of all applications installed on the device.1 |
| mobile | T1409 | Stored Application Data | Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.1 |
| mobile | T1426 | System Information Discovery | Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.1 |
| mobile | T1421 | System Network Connections Discovery | Pallas gathers and exfiltrates data about nearby Wi-Fi access points.1 |
| mobile | T1512 | Video Capture | Pallas can take pictures with both the front and rear-facing cameras.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0070 | Dark Caracal | 1 |