S0407 Monokle
Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.1
| Item | Value |
|---|---|
| ID | S0407 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 04 September 2019 |
| Last Modified | 01 November 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1640 | Account Access Removal | Monokle can reset the user’s password/PIN.1 |
| mobile | T1638 | Adversary-in-the-Middle | Monokle can install attacker-specified certificates to the device’s trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.2 |
| mobile | T1429 | Audio Capture | Monokle can record audio from the device’s microphone and can record phone calls, specifying the output audio quality.1 |
| mobile | T1616 | Call Control | Monokle can be controlled via phone call from a set of “control phones.”1 |
| mobile | T1645 | Compromise Client Software Binary | Monokle can remount the system partition as read/write to install attacker-specified certificates.1 |
| mobile | T1533 | Data from Local System | Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.1 |
| mobile | T1617 | Hooking | Monokle can hook itself to appear invisible to the Process Manager.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.1 |
| mobile | T1544 | Ingress Tool Transfer | Monokle can download attacker-specified files.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Monokle can record the user’s keystrokes.1 |
| mobile | T1430 | Location Tracking | Monokle can track the device’s location.1 |
| mobile | T1406 | Obfuscated Files or Information | Monokle uses XOR to obfuscate its second stage binary.1 |
| mobile | T1644 | Out of Band Data | Monokle can be controlled via email and SMS from a set of “control phones.”1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.001 | Calendar Entries | Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.1 |
| mobile | T1636.002 | Call Log | Monokle can retrieve call history.1 |
| mobile | T1636.003 | Contact List | Monokle can retrieve the device’s contact list.1 |
| mobile | T1513 | Screen Capture | Monokle can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle can also abuse accessibility features to read the screen to capture data from a large number of popular applications.1 |
| mobile | T1418 | Software Discovery | Monokle can list applications installed on the device.1 |
| mobile | T1426 | System Information Discovery | Monokle queries the device for metadata such as make, model, and power levels.1 |
| mobile | T1422 | System Network Configuration Discovery | Monokle checks if the device is connected via Wi-Fi or mobile data.1 |
| mobile | T1421 | System Network Connections Discovery | Monokle can retrieve nearby cell tower and Wi-Fi network information.1 |
| mobile | T1512 | Video Capture | Monokle can take photos and videos.1 |
References
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩