S0505 Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.1
| Item | Value |
|---|---|
| ID | S0505 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 11 September 2020 |
| Last Modified | 19 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | Desert Scorpion can collect the device’s contact list.1 |
| mobile | T1409 | Access Stored Application Data | Desert Scorpion can collect account information stored on the device.1 |
| mobile | T1438 | Alternate Network Mediums | Desert Scorpion can be controlled using SMS messages.1 |
| mobile | T1418 | Application Discovery | Desert Scorpion can obtain a list of installed applications.1 |
| mobile | T1429 | Capture Audio | Desert Scorpion can record audio from phone calls and the device microphone.1 |
| mobile | T1512 | Capture Camera | Desert Scorpion can record videos.1 |
| mobile | T1412 | Capture SMS Messages | Desert Scorpion can retrieve SMS messages.1 |
| mobile | T1532 | Data Encrypted | Desert Scorpion can encrypt exfiltrated data.1 |
| mobile | T1533 | Data from Local System | Desert Scorpion can collect attacker-specified files, including files located on external storage.1 |
| mobile | T1447 | Delete Device Data | Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.1 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | Desert Scorpion has been distributed via the Google Play Store.1 |
| mobile | T1407 | Download New Code at Runtime | Desert Scorpion has been distributed in multiple stages.1 |
| mobile | T1420 | File and Directory Discovery | Desert Scorpion can list files stored on external storage.1 |
| mobile | T1478 | Install Insecure or Malicious Configuration | If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.1 |
| mobile | T1430 | Location Tracking | Desert Scorpion can track the device’s location.1 |
| mobile | T1582 | SMS Control | Desert Scorpion can send SMS messages.1 |
| mobile | T1508 | Suppress Application Icon | Desert Scorpion can hide its icon.1 |
| mobile | T1426 | System Information Discovery | Desert Scorpion can collect device metadata and can check if the device is rooted.1 |