Skip to content

S0551 GoldenEagle

GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.1

Item Value
ID S0551
Associated Names
Type MALWARE
Version 1.0
Created 24 December 2020
Last Modified 25 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols GoldenEagle has used HTTP POST requests for C2.1
mobile T1429 Audio Capture GoldenEagle has recorded calls and environment audio in .amr format.1
mobile T1533 Data from Local System GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.1
mobile T1407 Download New Code at Runtime GoldenEagle can download new code to update itself.1
mobile T1646 Exfiltration Over C2 Channel GoldenEagle has exfiltrated data via both SMTP and HTTP.1
mobile T1420 File and Directory Discovery GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.1
mobile T1430 Location Tracking GoldenEagle has tracked location.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log GoldenEagle has collected call logs.1
mobile T1636.003 Contact List GoldenEagle has collected a list of contacts.1
mobile T1636.004 SMS Messages GoldenEagle has collected SMS messages.1
mobile T1513 Screen Capture GoldenEagle has taken screenshots.1
mobile T1582 SMS Control GoldenEagle has sent messages to an attacker-controlled number.1
mobile T1418 Software Discovery GoldenEagle has collected a list of installed application names.1
mobile T1409 Stored Application Data GoldenEagle has extracted messages from chat programs, such as WeChat.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification GoldenEagle has modified or configured proxy information.1
mobile T1426 System Information Discovery GoldenEagle has checked for system root.1
mobile T1512 Video Capture GoldenEagle has taken photos with the device camera.1

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.