T1521.001 Symmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.
Item | Value |
---|---|
ID | T1521.001 |
Sub-techniques | T1521.001, T1521.002 |
Tactics | TA0037 |
Platforms | Android, iOS |
Version | 1.0 |
Created | 05 April 2022 |
Last Modified | 05 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0478 | EventBot | EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.3 |
S0411 | Rotexy | Rotexy encrypts JSON HTTP payloads with AES.2 |
S1055 | SharkBot | SharkBot can use RC4 to encrypt C2 payloads.1 |
G0112 | Windshift | Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.4 |
References
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩