S0399 Pallas
Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.1
| Item | Value |
|---|---|
| ID | S0399 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 10 July 2019 |
| Last Modified | 18 September 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1433 | Access Call Log | Pallas accesses and exfiltrates the call log.1 |
| mobile | T1432 | Access Contact List | Pallas accesses the device contact list.1 |
| mobile | T1409 | Access Stored Application Data | Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.1 |
| mobile | T1418 | Application Discovery | Pallas retrieves a list of all applications installed on the device.1 |
| mobile | T1429 | Capture Audio | Pallas captures audio from the device microphone.1 |
| mobile | T1512 | Capture Camera | Pallas can take pictures with both the front and rear-facing cameras.1 |
| mobile | T1412 | Capture SMS Messages | Pallas captures and exfiltrates all SMS messages, including future messages as they are received.1 |
| mobile | T1447 | Delete Device Data | Pallas has the ability to delete attacker-specified files from compromised devices.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | Pallas has the ability to download and install attacker-specified applications.1 |
| mobile | T1411 | Input Prompt | Pallas uses phishing popups to harvest user credentials.1 |
| mobile | T1430 | Location Tracking | Pallas tracks the latitude and longitude coordinates of the infected device.1 |
| mobile | T1507 | Network Information Discovery | Pallas gathers and exfiltrates data about nearby Wi-Fi access points.1 |
| mobile | T1406 | Obfuscated Files or Information | Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.1 |
| mobile | T1437 | Standard Application Layer Protocol | Pallas exfiltrates data using HTTP.1 |
| mobile | T1426 | System Information Discovery | Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0070 | Dark Caracal | 1 |