T1521.002 Asymmetric Cryptography
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.
For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.
| Item | Value |
|---|---|
| ID | T1521.002 |
| Sub-techniques | T1521.001, T1521.002 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 05 April 2022 |
| Last Modified | 05 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0529 | CarbonSteal | CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.1 |
| S0555 | CHEMISTGAMES | CHEMISTGAMES has used HTTPS for C2 communication.2 |
| S0507 | eSurv | eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.5 |
| S1067 | FluBot | FluBot has encrypted C2 message bodies with RSA and encoded them in base64.4 |
| S1055 | SharkBot | SharkBot has used RSA to encrypt the symmetric encryption key used for C2 messages.3 |
| S0549 | SilkBean | SilkBean has used HTTPS for C2 communication.1 |
References
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩↩
-
B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. ↩
-
A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. ↩