S0522 Exobot
Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.2
| Item | Value |
|---|---|
| ID | S0522 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 October 2020 |
| Last Modified | 07 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1626 | Abuse Elevation Control Mechanism | - |
| mobile | T1626.001 | Device Administrator Permissions | Exobot can request device administrator permissions.2 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Exobot has used HTTPS for C2 communication.2 |
| mobile | T1642 | Endpoint Denial of Service | Exobot can lock the device with a password and permanently disable the screen.2 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | Exobot has registered to receive the BOOT_COMPLETED broadcast intent.2 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Exobot has used web injects to capture users’ credentials.2 |
| mobile | T1417.002 | GUI Input Capture | Exobot can show phishing popups when a targeted application is running.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Exobot can access the device’s contact list.2 |
| mobile | T1636.004 | SMS Messages | Exobot can intercept SMS messages.2 |
| mobile | T1604 | Proxy Through Victim | Exobot can open a SOCKS proxy connection through the compromised device.2 |
| mobile | T1582 | SMS Control | Exobot can forward SMS messages.2 |
| mobile | T1418 | Software Discovery | - |
| mobile | T1418.001 | Security Software Discovery | Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.2 |
| mobile | T1426 | System Information Discovery | Exobot can obtain the device’s country and carrier name.2 |
| mobile | T1422 | System Network Configuration Discovery | Exobot can obtain the device’s IMEI, phone number, and IP address.2 |