S0539 Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.1
| Item | Value |
|---|---|
| ID | S0539 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 December 2020 |
| Last Modified | 16 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1626 | Abuse Elevation Control Mechanism | - |
| mobile | T1626.001 | Device Administrator Permissions | Red Alert 2.0 can request device administrator permissions.1 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Red Alert 2.0 has communicated with the C2 using HTTP.1 |
| mobile | T1407 | Download New Code at Runtime | Red Alert 2.0 can download additional overlay templates.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | Red Alert 2.0 has used malicious overlays to collect banking credentials.1 |
| mobile | T1509 | Non-Standard Port | Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.1 |
| mobile | T1406 | Obfuscated Files or Information | Red Alert 2.0 has stored data embedded in the strings.xml resource file.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | Red Alert 2.0 can collect the device’s call log.1 |
| mobile | T1636.003 | Contact List | Red Alert 2.0 can collect the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Red Alert 2.0 can collect SMS messages.1 |
| mobile | T1582 | SMS Control | Red Alert 2.0 can send SMS messages.1 |
| mobile | T1418 | Software Discovery | Red Alert 2.0 can obtain the running application.1 |
| mobile | T1481 | Web Service | - |
| mobile | T1481.001 | Dead Drop Resolver | Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.1 |