T1437.001 Web Protocols
Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server.
Web protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect.
Item | Value |
---|---|
ID | T1437.001 |
Sub-techniques | T1437.001 |
Tactics | TA0037 |
Platforms | Android, iOS |
Version | 1.0 |
Created | 01 April 2022 |
Last Modified | 06 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1061 | AbstractEmu | AbstractEmu can use HTTP to communicate with the C2 server.19 |
S0525 | Android/AdDisplay.Ashas | Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.5 |
S0304 | Android/Chuli.A | Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.21 |
S0540 | Asacub | Asacub has communicated with the C2 using HTTP POST requests.1 |
S0432 | Bread | Bread communicates with the C2 server using HTTP requests.14 |
S0480 | Cerberus | Cerberus communicates with the C2 server using HTTP.15 |
S0555 | CHEMISTGAMES | CHEMISTGAMES has used HTTPS for C2 communication.27 |
S0426 | Concipit1248 | Concipit1248 communicates with the C2 server using HTTP requests.12 |
S0425 | Corona Updates | Corona Updates communicates with the C2 server using HTTP requests.12 |
G0070 | Dark Caracal | Dark Caracal controls implants using standard HTTP communication.33 |
S0479 | DEFENSOR ID | DEFENSOR ID has used Firebase Cloud Messaging for C2.6 |
S0478 | EventBot | EventBot communicates with the C2 using HTTP requests.28 |
S0522 | Exobot | Exobot has used HTTPS for C2 communication.16 |
S0405 | Exodus | Exodus One checks in with the command and control server using HTTP POST requests.10 |
S0509 | FakeSpy | FakeSpy exfiltrates data using HTTP requests.7 |
S1067 | FluBot | FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.22 |
S0535 | Golden Cup | Golden Cup has communicated with the C2 using MQTT and HTTP.11 |
S0551 | GoldenEagle | GoldenEagle has used HTTP POST requests for C2.17 |
S0536 | GPlayed | GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.9 |
S0406 | Gustuff | Gustuff communicates with the command and control server using HTTP requests.23 |
S0463 | INSOMNIA | INSOMNIA communicates with the C2 server using HTTPS requests.4 |
S0539 | Red Alert 2.0 | Red Alert 2.0 has communicated with the C2 using HTTP.29 |
S0326 | RedDrop | RedDrop uses HTTP requests for C2 communication.8 |
S0403 | Riltok | Riltok communicates with the command and control server using HTTP requests.31 |
S0411 | Rotexy | Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.25 |
S0313 | RuMMS | RuMMS uses HTTP for command and control.24 |
S1062 | S.O.V.A. | S.O.V.A. can use the open-source project RetroFit for C2 communication.30 |
S1055 | SharkBot | SharkBot can use HTTP to send C2 messages to infected devices.20 |
S0549 | SilkBean | SilkBean has used HTTPS for C2 communication.17 |
S0327 | Skygofree | Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.13 |
S0427 | TrickMo | TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.32 |
S0307 | Trojan-SMS.AndroidOS.Agent.ao | Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.18 |
S0306 | Trojan-SMS.AndroidOS.FakeInst.a | Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.18 |
S0308 | Trojan-SMS.AndroidOS.OpFake.a | Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.18 |
S0418 | ViceLeaker | ViceLeaker uses HTTP requests for C2 communication.23 |
S0311 | YiSpecter | YiSpecter has connected to the C2 server via HTTP.26 |
References
-
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. ↩
-
GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. ↩
-
L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. ↩
-
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. ↩
-
L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. ↩
-
L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020. ↩
-
O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. ↩
-
Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩
-
R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. ↩
-
Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018. ↩
-
A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. ↩
-
A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩↩
-
Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016. ↩↩↩
-
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016. ↩
-
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. ↩
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩
-
Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩
-
B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. ↩
-
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. ↩
-
J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩
-
Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019. ↩
-
P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. ↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩