S1055 SharkBot
SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.1
| Item | Value |
|---|---|
| ID | S1055 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 January 2023 |
| Last Modified | 28 February 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | SharkBot can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.1 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | SharkBot can use HTTP to send C2 messages to infected devices.1 |
| mobile | T1407 | Download New Code at Runtime | SharkBot can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.1 |
| mobile | T1637 | Dynamic Resolution | - |
| mobile | T1637.001 | Domain Generation Algorithms | SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.001 | Symmetric Cryptography | SharkBot can use RC4 to encrypt C2 payloads.1 |
| mobile | T1521.002 | Asymmetric Cryptography | SharkBot has used RSA to encrypt the symmetric encryption key used for C2 messages.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. 1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.001 | Uninstall Malicious Application | SharkBot has C2 commands that can uninstall the app from the infected device.1 |
| mobile | T1544 | Ingress Tool Transfer | SharkBot can download attacker-specified files.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | SharkBot can use accessibility event logging to steal data in text fields.1 |
| mobile | T1417.002 | GUI Input Capture | SharkBot can use a WebView with a fake log in site to capture banking credentials.1 |
| mobile | T1516 | Input Injection | SharkBot can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.1 |
| mobile | T1406 | Obfuscated Files or Information | SharkBot can use a Domain Generation Algorithm to decode the C2 server location.1 |
| mobile | T1644 | Out of Band Data | SharkBot can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.1 |
| mobile | T1424 | Process Discovery | SharkBot can use Accessibility Services to detect which process is in the foreground.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | SharkBot can intercept SMS messages.1 |
| mobile | T1582 | SMS Control | SharkBot can hide and send SMS messages. SharkBot can also change which application is the device’s default SMS handler.1 |