S1126 Phenakite
Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.21
| Item | Value |
|---|---|
| ID | S1126 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 March 2024 |
| Last Modified | 17 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | Phenakite can record phone calls.1 |
| mobile | T1533 | Data from Local System | Phenakite can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | Phenakite has included exploits for jailbreaking infected devices.1 |
| mobile | T1544 | Ingress Tool Transfer | Phenakite can download additional malware to the victim device.1 |
| mobile | T1417 | Input Capture | Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.1 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | Phenakite can masquerade as the chat application “Magic Smile.”1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Phenakite can exfiltrate the victim device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Phenakite can read SMS messages.1 |
| mobile | T1426 | System Information Discovery | Phenakite can collect device metadata.1 |
| mobile | T1512 | Video Capture | Phenakite can capture pictures and videos.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1028 | APT-C-23 | 21 |