S0555 CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.1
| Item | Value |
|---|---|
| ID | S0555 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 31 December 2020 |
| Last Modified | 25 March 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | CHEMISTGAMES has used HTTPS for C2 communication.1 |
| mobile | T1623 | Command and Scripting Interpreter | - |
| mobile | T1623.001 | Unix Shell | CHEMISTGAMES can run bash commands.1 |
| mobile | T1533 | Data from Local System | CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.1 |
| mobile | T1407 | Download New Code at Runtime | CHEMISTGAMES can download new modules while running.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.002 | Asymmetric Cryptography | CHEMISTGAMES has used HTTPS for C2 communication.1 |
| mobile | T1430 | Location Tracking | CHEMISTGAMES has collected the device’s location.1 |
| mobile | T1575 | Native API | CHEMISTGAMES has utilized native code to decrypt its malicious payload.1 |
| mobile | T1406 | Obfuscated Files or Information | CHEMISTGAMES has encrypted its DEX payload.1 |
| mobile | T1474 | Supply Chain Compromise | - |
| mobile | T1474.003 | Compromise Software Supply Chain | CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.1 |
| mobile | T1426 | System Information Discovery | CHEMISTGAMES has fingerprinted devices to uniquely identify them.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 1 |