Skip to content

S0529 CarbonSteal

CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. 1

Item Value
ID S0529
Associated Names
Type MALWARE
Version 1.1
Created 10 November 2020
Last Modified 20 September 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture CarbonSteal can remotely capture device audio.1
mobile T1616 Call Control CarbonSteal can silently accept an incoming phone call.1
mobile T1407 Download New Code at Runtime CarbonSteal can dynamically load additional functionality.1
mobile T1521 Encrypted Channel -
mobile T1521.002 Asymmetric Cryptography CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.1
mobile T1420 File and Directory Discovery CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion CarbonSteal has deleted call log entries coming from known C2 sources.1
mobile T1430 Location Tracking CarbonSteal can access the device’s location and track the device over time.1
mobile T1575 Native API CarbonSteal has seen native libraries used in some reported samples 1
mobile T1406 Obfuscated Files or Information CarbonSteal has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.1
mobile T1644 Out of Band Data CarbonSteal has used specially crafted SMS messages to control the target device.1
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages CarbonSteal can access the device’s SMS and MMS messages.1
mobile T1418 Software Discovery CarbonSteal has looked for specific applications, such as MiCode.1
mobile T1409 Stored Application Data CarbonSteal can collect notes and data from the MiCode app.1
mobile T1426 System Information Discovery CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.1
mobile T1422 System Network Configuration Discovery CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called netcfg to get stats.1

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.