Skip to content

S0399 Pallas

Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.1

Item Value
ID S0399
Associated Names
Version 1.1
Created 10 July 2019
Last Modified 18 September 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture Pallas captures audio from the device microphone.1
mobile T1646 Exfiltration Over C2 Channel Pallas exfiltrates data using HTTP.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Pallas has the ability to delete attacker-specified files from compromised devices.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Pallas uses phishing popups to harvest user credentials.1
mobile T1430 Location Tracking Pallas tracks the latitude and longitude coordinates of the infected device.1
mobile T1406 Obfuscated Files or Information Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log Pallas accesses and exfiltrates the call log.1
mobile T1636.003 Contact List Pallas accesses the device contact list.1
mobile T1636.004 SMS Messages Pallas captures and exfiltrates all SMS messages, including future messages as they are received.1
mobile T1418 Software Discovery Pallas retrieves a list of all applications installed on the device.1
mobile T1409 Stored Application Data Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.1
mobile T1426 System Information Discovery Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.1
mobile T1421 System Network Connections Discovery Pallas gathers and exfiltrates data about nearby Wi-Fi access points.1
mobile T1512 Video Capture Pallas can take pictures with both the front and rear-facing cameras.1

Groups That Use This Software

ID Name References
G0070 Dark Caracal 1