Skip to content

S0539 Red Alert 2.0

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.1

Item Value
ID S0539
Associated Names
Version 1.0
Created 14 December 2020
Last Modified 16 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions Red Alert 2.0 can request device administrator permissions.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Red Alert 2.0 has communicated with the C2 using HTTP.1
mobile T1407 Download New Code at Runtime Red Alert 2.0 can download additional overlay templates.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Red Alert 2.0 has used malicious overlays to collect banking credentials.1
mobile T1509 Non-Standard Port Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.1
mobile T1406 Obfuscated Files or Information Red Alert 2.0 has stored data embedded in the strings.xml resource file.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log Red Alert 2.0 can collect the device’s call log.1
mobile T1636.003 Contact List Red Alert 2.0 can collect the device’s contact list.1
mobile T1636.004 SMS Messages Red Alert 2.0 can collect SMS messages.1
mobile T1582 SMS Control Red Alert 2.0 can send SMS messages.1
mobile T1418 Software Discovery Red Alert 2.0 can obtain the running application.1
mobile T1481 Web Service -
mobile T1481.001 Dead Drop Resolver Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.1