T1521.001 Symmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.
| Item | Value |
|---|---|
| ID | T1521.001 |
| Sub-techniques | T1521.001, T1521.002 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 05 April 2022 |
| Last Modified | 05 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0478 | EventBot | EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.3 |
| S0411 | Rotexy | Rotexy encrypts JSON HTTP payloads with AES.2 |
| S1055 | SharkBot | SharkBot can use RC4 to encrypt C2 payloads.1 |
| G0112 | Windshift | Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.4 |
References
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩