Skip to content

S0399 Pallas

Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.1

Item Value
ID S0399
Associated Names
Version 1.1
Created 10 July 2019
Last Modified 18 September 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log Pallas accesses and exfiltrates the call log.1
mobile T1432 Access Contact List Pallas accesses the device contact list.1
mobile T1409 Access Stored Application Data Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.1
mobile T1418 Application Discovery Pallas retrieves a list of all applications installed on the device.1
mobile T1429 Capture Audio Pallas captures audio from the device microphone.1
mobile T1512 Capture Camera Pallas can take pictures with both the front and rear-facing cameras.1
mobile T1412 Capture SMS Messages Pallas captures and exfiltrates all SMS messages, including future messages as they are received.1
mobile T1447 Delete Device Data Pallas has the ability to delete attacker-specified files from compromised devices.1
mobile T1476 Deliver Malicious App via Other Means Pallas has the ability to download and install attacker-specified applications.1
mobile T1411 Input Prompt Pallas uses phishing popups to harvest user credentials.1
mobile T1430 Location Tracking Pallas tracks the latitude and longitude coordinates of the infected device.1
mobile T1507 Network Information Discovery Pallas gathers and exfiltrates data about nearby Wi-Fi access points.1
mobile T1406 Obfuscated Files or Information Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.1
mobile T1437 Standard Application Layer Protocol Pallas exfiltrates data using HTTP.1
mobile T1426 System Information Discovery Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.1

Groups That Use This Software

ID Name References
G0070 Dark Caracal 1


Back to top