| mobile |
T1437 |
Application Layer Protocol |
- |
| mobile |
T1437.001 |
Web Protocols |
INSOMNIA communicates with the C2 server using HTTPS requests. |
| mobile |
T1634 |
Credentials from Password Store |
- |
| mobile |
T1634.001 |
Keychain |
INSOMNIA can extract the device’s keychain. |
| mobile |
T1533 |
Data from Local System |
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps. |
| mobile |
T1456 |
Drive-By Compromise |
INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices. |
| mobile |
T1404 |
Exploitation for Privilege Escalation |
INSOMNIA exploits a WebKit vulnerability to achieve root access on the device. |
| mobile |
T1430 |
Location Tracking |
INSOMNIA can track the device’s location. |
| mobile |
T1509 |
Non-Standard Port |
INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773. |
| mobile |
T1406 |
Obfuscated Files or Information |
INSOMNIA obfuscates various pieces of information within the application. |
| mobile |
T1631 |
Process Injection |
- |
| mobile |
T1631.001 |
Ptrace System Calls |
INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.002 |
Call Log |
INSOMNIA can retrieve the call history. |
| mobile |
T1636.003 |
Contact List |
INSOMNIA can collect the device’s contact list. |
| mobile |
T1636.004 |
SMS Messages |
INSOMNIA can retrieve SMS messages and iMessages. |
| mobile |
T1418 |
Software Discovery |
INSOMNIA can obtain a list of installed non-Apple applications. |
| mobile |
T1426 |
System Information Discovery |
INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space. |
| mobile |
T1422 |
System Network Configuration Discovery |
INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular). |