S0507 eSurv
eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.1
| Item | Value |
|---|---|
| ID | S0507 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 September 2020 |
| Last Modified | 14 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | eSurv can record audio.1 |
| mobile | T1533 | Data from Local System | eSurv can exfiltrate device pictures.1 |
| mobile | T1407 | Download New Code at Runtime | eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.002 | Asymmetric Cryptography | eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.1 |
| mobile | T1627 | Execution Guardrails | - |
| mobile | T1627.001 | Geofencing | eSurv imposes geo-restrictions when delivering the second stage.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | eSurv has exfiltrated data using HTTP PUT requests.1 |
| mobile | T1430 | Location Tracking | eSurv can track the device’s location.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | eSurv can exfiltrate the device’s contact list.1 |
| mobile | T1426 | System Information Discovery | eSurv’s iOS version can collect device information.1 |