S0489 WolfRAT

WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.¹

Item	Value
ID	S0489
Associated Names
Type	MALWARE
Version	1.0
Created	20 July 2020
Last Modified	11 September 2020
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
mobile	T1517	Access Notifications	WolfRAT can receive system notifications.¹
mobile	T1429	Audio Capture	WolfRAT can record call audio.¹
mobile	T1533	Data from Local System	WolfRAT can collect user account, photos, browser history, and arbitrary files.¹
mobile	T1407	Download New Code at Runtime	WolfRAT can update the running malware.¹
mobile	T1630	Indicator Removal on Host	-
mobile	T1630.002	File Deletion	WolfRAT can delete files from the device.¹
mobile	T1406	Obfuscated Files or Information	WolfRAT’s code is obfuscated.¹
mobile	T1424	Process Discovery	WolfRAT uses `dumpsys` to determine if certain applications are running.¹
mobile	T1636	Protected User Data	-
mobile	T1636.002	Call Log	WolfRAT can collect the device’s call log.¹
mobile	T1636.003	Contact List	WolfRAT can collect the device’s contact list.¹
mobile	T1636.004	SMS Messages	WolfRAT can collect SMS messages.¹
mobile	T1513	Screen Capture	WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.¹
mobile	T1582	SMS Control	WolfRAT can delete and send SMS messages.¹
mobile	T1418	Software Discovery	WolfRAT can obtain a list of installed applications.¹
mobile	T1422	System Network Configuration Discovery	WolfRAT sends the device’s IMEI with each exfiltration request.¹
mobile	T1512	Video Capture	WolfRAT can take photos and videos.¹
mobile	T1633	Virtualization/Sandbox Evasion	-
mobile	T1633.001	System Checks	WolfRAT can perform primitive emulation checks.¹

References

W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩