S0507 eSurv
eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.1
| Item | Value |
|---|---|
| ID | S0507 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 September 2020 |
| Last Modified | 14 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | eSurv can exfiltrate the device’s contact list.1 |
| mobile | T1429 | Capture Audio | eSurv can record audio.1 |
| mobile | T1533 | Data from Local System | eSurv can exfiltrate device pictures.1 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | eSurv’s Android version was available in the Google Play Store.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | eSurv has been distributed via phishing websites with geo-restrictions that allow access to only Italian and Turkmenistani mobile carriers. eSurv can install applications via malicious iOS provisioning profiles containing the developer’s certificate.1 |
| mobile | T1407 | Download New Code at Runtime | eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.1 |
| mobile | T1581 | Geofencing | eSurv imposes geo-restrictions when delivering the second stage.1 |
| mobile | T1430 | Location Tracking | eSurv can track the device’s location.1 |
| mobile | T1437 | Standard Application Layer Protocol | eSurv has exfiltrated data using HTTP PUT requests.1 |
| mobile | T1521 | Standard Cryptographic Protocol | eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.1 |
| mobile | T1426 | System Information Discovery | eSurv’s iOS version can collect device information.1 |