Skip to content

T1604 Proxy Through Victim

Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.1

The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the Proxy API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.

Item Value
ID T1604
Sub-techniques
Tactics TA0030
Platforms Android
Version 1.1
Created 30 November 2020
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0522 Exobot Exobot can open a SOCKS proxy connection through the compromised device.1
S1067 FluBot FluBot can use a SOCKS proxy to evade C2 IP detection.2

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Flow

References

  1. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  2. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.