S0545 TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.1
| Item | Value |
|---|---|
| ID | S0545 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 December 2020 |
| Last Modified | 28 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1407 | Download New Code at Runtime | TERRACOTTA can download additional modules at runtime via JavaScript eval statements.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | TERRACOTTA has registered several broadcast receivers.1 |
| mobile | T1541 | Foreground Persistence | TERRACOTTA has utilized foreground services.1 |
| mobile | T1643 | Generate Traffic from Victim | TERRACOTTA has generated non-human advertising impressions.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | TERRACOTTA has displayed a form to collect user data after installation.1 |
| mobile | T1516 | Input Injection | TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.1 |
| mobile | T1575 | Native API | TERRACOTTA has included native modules.1 |
| mobile | T1406 | Obfuscated Files or Information | TERRACOTTA has stored encoded strings.1 |
| mobile | T1603 | Scheduled Task/Job | TERRACOTTA has used timer events in React Native to initiate the foreground service.1 |
| mobile | T1582 | SMS Control | TERRACOTTA can send SMS messages.1 |
| mobile | T1418 | Software Discovery | TERRACOTTA can obtain a list of installed apps.1 |
| mobile | T1422 | System Network Configuration Discovery | TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings1. |
| mobile | T1481 | Web Service | - |
| mobile | T1481.002 | Bidirectional Communication | TERRACOTTA has used Firebase for C2 communication.1 |