T1509 Non-Standard Port
Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
| Item | Value |
|---|---|
| ID | T1509 |
| Sub-techniques | |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 01 August 2019 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0480 | Cerberus | Cerberus communicates with the C2 using HTTP requests over port 8888.2 |
| S1083 | Chameleon | Chameleon has communicated over port 7242 using HTTP.3 |
| S0405 | Exodus | Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.8 |
| S0408 | FlexiSpy | FlexiSpy can communicate with the command and control server over ports 12512 and 12514.1 |
| S0463 | INSOMNIA | INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.5 |
| S1185 | LightSpy | LightSpy has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.6 |
| S0485 | Mandrake | Mandrake has communicated with the C2 server over TCP port 7777.4 |
| S0539 | Red Alert 2.0 | Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.7 |
References
-
K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019. ↩
-
A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. ↩
-
Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. ↩
-
ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025. ↩
-
J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. ↩