Skip to content

S0550 DoubleAgent

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.1

Item Value
ID S0550
Associated Names
Version 1.0
Created 24 December 2020
Last Modified 19 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol DoubleAgent has used both FTP and TCP sockets for data exfiltration.1
mobile T1429 Audio Capture DoubleAgent has captured audio and can record phone calls.1
mobile T1623 Command and Scripting Interpreter -
mobile T1623.001 Unix Shell DoubleAgent can run arbitrary shell commands.1
mobile T1645 Compromise Client Software Binary DoubleAgent has used exploits to root devices and install additional malware on the system partition.1
mobile T1533 Data from Local System DoubleAgent has collected files from the infected device.1
mobile T1407 Download New Code at Runtime DoubleAgent has downloaded additional code to root devices, such as TowelRoot.1
mobile T1404 Exploitation for Privilege Escalation DoubleAgent has used exploit tools to gain root, such as TowelRoot.1
mobile T1420 File and Directory Discovery DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon DoubleAgent has hidden its app icon.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion DoubleAgent has deleted or renamed specific files.1
mobile T1406 Obfuscated Files or Information DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log DoubleAgent has accessed the call logs.1
mobile T1636.003 Contact List DoubleAgent has accessed the contact list.1
mobile T1636.004 SMS Messages DoubleAgent has captured SMS and MMS messages.1
mobile T1418 Software Discovery DoubleAgent has accessed the list of installed apps.1
mobile T1409 Stored Application Data DoubleAgent has accessed browser history, as well as the files for 15 other apps.1
mobile T1426 System Information Discovery DoubleAgent has accessed common system information.1