Skip to content

S0539 Red Alert 2.0

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.1

Item Value
ID S0539
Associated Names
Version 1.0
Created 14 December 2020
Last Modified 16 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log Red Alert 2.0 can collect the device’s call log.1
mobile T1432 Access Contact List Red Alert 2.0 can collect the device’s contact list.1
mobile T1418 Application Discovery Red Alert 2.0 can obtain the running application.1
mobile T1412 Capture SMS Messages Red Alert 2.0 can collect SMS messages.1
mobile T1476 Deliver Malicious App via Other Means Red Alert 2.0 has been distributed via webpages designed to look like the Play Store.1
mobile T1401 Device Administrator Permissions Red Alert 2.0 can request device administrator permissions.1
mobile T1407 Download New Code at Runtime Red Alert 2.0 can download additional overlay templates.1
mobile T1411 Input Prompt Red Alert 2.0 has used malicious overlays to collect banking credentials.1
mobile T1444 Masquerade as Legitimate Application Red Alert 2.0 has masqueraded as legitimate media player, social media, and VPN applications.1
mobile T1406 Obfuscated Files or Information Red Alert 2.0 has stored data embedded in the strings.xml resource file.1
mobile T1582 SMS Control Red Alert 2.0 can send SMS messages.1
mobile T1437 Standard Application Layer Protocol Red Alert 2.0 has communicated with the C2 using HTTP.1
mobile T1509 Uncommonly Used Port Red Alert 2.0 has communicated with the C2 over port 7878.1
mobile T1481 Web Service Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.1


Back to top