Skip to content

S0418 ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.12

Item Value
ID S0418
Associated Names Triout
Version 1.0
Created 21 November 2019
Last Modified 26 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Triout 1

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols ViceLeaker uses HTTP requests for C2 communication.12
mobile T1429 Audio Capture ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.12
mobile T1533 Data from Local System ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.12
mobile T1646 Exfiltration Over C2 Channel ViceLeaker uses HTTP data exfiltration.12
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.2
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion ViceLeaker can delete arbitrary files from the device.1
mobile T1544 Ingress Tool Transfer ViceLeaker can download attacker-specified files.1
mobile T1430 Location Tracking ViceLeaker can collect location information, including GPS coordinates.12
mobile T1636 Protected User Data -
mobile T1636.002 Call Log ViceLeaker can collect the device’s call log.1
mobile T1636.004 SMS Messages ViceLeaker can collect SMS messages.1
mobile T1418 Software Discovery ViceLeaker can obtain a list of installed applications.1
mobile T1426 System Information Discovery ViceLeaker collects device information, including the device model and OS version.1
mobile T1512 Video Capture ViceLeaker can take photos from both the front and back cameras.1