S0539 Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.1
| Item | Value |
|---|---|
| ID | S0539 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 December 2020 |
| Last Modified | 16 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1433 | Access Call Log | Red Alert 2.0 can collect the device’s call log.1 |
| mobile | T1432 | Access Contact List | Red Alert 2.0 can collect the device’s contact list.1 |
| mobile | T1418 | Application Discovery | Red Alert 2.0 can obtain the running application.1 |
| mobile | T1412 | Capture SMS Messages | Red Alert 2.0 can collect SMS messages.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | Red Alert 2.0 has been distributed via webpages designed to look like the Play Store.1 |
| mobile | T1401 | Device Administrator Permissions | Red Alert 2.0 can request device administrator permissions.1 |
| mobile | T1407 | Download New Code at Runtime | Red Alert 2.0 can download additional overlay templates.1 |
| mobile | T1411 | Input Prompt | Red Alert 2.0 has used malicious overlays to collect banking credentials.1 |
| mobile | T1444 | Masquerade as Legitimate Application | Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.1 |
| mobile | T1406 | Obfuscated Files or Information | Red Alert 2.0 has stored data embedded in the strings.xml resource file.1 |
| mobile | T1582 | SMS Control | Red Alert 2.0 can send SMS messages.1 |
| mobile | T1437 | Standard Application Layer Protocol | Red Alert 2.0 has communicated with the C2 using HTTP.1 |
| mobile | T1509 | Uncommonly Used Port | Red Alert 2.0 has communicated with the C2 over port 7878.1 |
| mobile | T1481 | Web Service | Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.1 |