S0549 SilkBean
SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.1
| Item | Value |
|---|---|
| ID | S0549 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 December 2020 |
| Last Modified | 19 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | SilkBean has used HTTPS for C2 communication.1 |
| mobile | T1533 | Data from Local System | SilkBean can retrieve files from external storage and can collect browser data.1 |
| mobile | T1407 | Download New Code at Runtime | SilkBean can install new applications which are obtained from the C2 server.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.002 | Asymmetric Cryptography | SilkBean has used HTTPS for C2 communication.1 |
| mobile | T1420 | File and Directory Discovery | SilkBean can get file lists on the SD card.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.1 |
| mobile | T1430 | Location Tracking | SilkBean has access to the device’s location.1 |
| mobile | T1406 | Obfuscated Files or Information | SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | SilkBean can access call logs.1 |
| mobile | T1636.003 | Contact List | SilkBean can access device contacts.1 |
| mobile | T1636.004 | SMS Messages | SilkBean can access SMS messages.1 |
| mobile | T1582 | SMS Control | SilkBean can send SMS messages.1 |
| mobile | T1632 | Subvert Trust Controls | - |
| mobile | T1632.001 | Code Signing Policy Modification | SilkBean has attempted to trick users into enabling installation of applications from unknown sources.1 |
| mobile | T1512 | Video Capture | SilkBean can access the camera on the device.1 |