T1544 Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.
| Item | Value |
|---|---|
| ID | T1544 |
| Sub-techniques | |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 21 January 2020 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu | AbstractEmu can receive files from the C2 at runtime.3 |
| S0485 | Mandrake | Mandrake can install attacker-specified components or applications.4 |
| S0407 | Monokle | Monokle can download attacker-specified files.2 |
| S0326 | RedDrop | RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.6 |
| S1055 | SharkBot | SharkBot can download attacker-specified files.1 |
| S0418 | ViceLeaker | ViceLeaker can download attacker-specified files.5 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Network Communication |
References
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. ↩
-
Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. ↩