S0555 CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.1
| Item | Value |
|---|---|
| ID | S0555 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 31 December 2020 |
| Last Modified | 25 March 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1605 | Command-Line Interface | CHEMISTGAMES can run bash commands.1 |
| mobile | T1533 | Data from Local System | CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.1 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | CHEMISTGAMES has been distributed via the Google Play Store.1 |
| mobile | T1407 | Download New Code at Runtime | CHEMISTGAMES can download new modules while running.1 |
| mobile | T1430 | Location Tracking | CHEMISTGAMES has collected the device’s location.1 |
| mobile | T1444 | Masquerade as Legitimate Application | CHEMISTGAMES has masqueraded as popular South Korean applications.1 |
| mobile | T1575 | Native Code | CHEMISTGAMES has utilized native code to decrypt its malicious payload.1 |
| mobile | T1406 | Obfuscated Files or Information | CHEMISTGAMES has encrypted its DEX payload.1 |
| mobile | T1437 | Standard Application Layer Protocol | CHEMISTGAMES has used HTTPS for C2 communication.1 |
| mobile | T1521 | Standard Cryptographic Protocol | CHEMISTGAMES has used HTTPS for C2 communication.1 |
| mobile | T1474 | Supply Chain Compromise | CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.1 |
| mobile | T1426 | System Information Discovery | CHEMISTGAMES has fingerprinted devices to uniquely identify them.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 1 |