S0505 Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.1
| Item | Value |
|---|---|
| ID | S0505 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 11 September 2020 |
| Last Modified | 19 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1532 | Archive Collected Data | Desert Scorpion can encrypt exfiltrated data.1 |
| mobile | T1429 | Audio Capture | Desert Scorpion can record audio from phone calls and the device microphone.1 |
| mobile | T1533 | Data from Local System | Desert Scorpion can collect attacker-specified files, including files located on external storage.1 |
| mobile | T1407 | Download New Code at Runtime | Desert Scorpion has been distributed in multiple stages.1 |
| mobile | T1420 | File and Directory Discovery | Desert Scorpion can list files stored on external storage.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Desert Scorpion can hide its icon.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.1 |
| mobile | T1430 | Location Tracking | Desert Scorpion can track the device’s location.1 |
| mobile | T1644 | Out of Band Data | Desert Scorpion can be controlled using SMS messages.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Desert Scorpion can collect the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Desert Scorpion can retrieve SMS messages.1 |
| mobile | T1582 | SMS Control | Desert Scorpion can send SMS messages.1 |
| mobile | T1418 | Software Discovery | Desert Scorpion can obtain a list of installed applications.1 |
| mobile | T1409 | Stored Application Data | Desert Scorpion can collect account information stored on the device.1 |
| mobile | T1632 | Subvert Trust Controls | - |
| mobile | T1632.001 | Code Signing Policy Modification | If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.1 |
| mobile | T1426 | System Information Discovery | Desert Scorpion can collect device metadata and can check if the device is rooted.1 |
| mobile | T1512 | Video Capture | Desert Scorpion can record videos.1 |