S0463 INSOMNIA
INSOMNIA is spyware that has been used by the group Evil Eye.
| Item |
Value |
| ID |
S0463 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
02 June 2020 |
| Last Modified |
24 June 2020 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| mobile |
T1433 |
Access Call Log |
INSOMNIA can retrieve the call history. |
| mobile |
T1432 |
Access Contact List |
INSOMNIA can collect the device’s contact list. |
| mobile |
T1418 |
Application Discovery |
INSOMNIA can obtain a list of installed non-Apple applications. |
| mobile |
T1412 |
Capture SMS Messages |
INSOMNIA can retrieve SMS messages and iMessages. |
| mobile |
T1540 |
Code Injection |
INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache. |
| mobile |
T1533 |
Data from Local System |
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps. |
| mobile |
T1456 |
Drive-by Compromise |
INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices. |
| mobile |
T1404 |
Exploit OS Vulnerability |
INSOMNIA exploits a WebKit vulnerability to achieve root access on the device. |
| mobile |
T1579 |
Keychain |
INSOMNIA can extract the device’s keychain. |
| mobile |
T1430 |
Location Tracking |
INSOMNIA can track the device’s location. |
| mobile |
T1406 |
Obfuscated Files or Information |
INSOMNIA obfuscates various pieces of information within the application. |
| mobile |
T1437 |
Standard Application Layer Protocol |
INSOMNIA communicates with the C2 server using HTTPS requests. |
| mobile |
T1426 |
System Information Discovery |
INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space. |
| mobile |
T1422 |
System Network Configuration Discovery |
INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular). |
| mobile |
T1509 |
Uncommonly Used Port |
INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773. |
References