This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Gustuff

Gustuff is mobile malware designed to steal users' banking and virtual currency credentials.^[1]

ID: S0406

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 03 September 2019

Last Modified: 14 October 2019

Techniques Used

Domain	ID		Name	Use
Mobile	T1432		Access Contact List	Gustuff can collect the contact list.^[1]
Mobile	T1438		Alternate Network Mediums	Gustuff can use SMS for command and control from a defined admin phone number.^[1]
Mobile	T1418		Application Discovery	Gustuff checks for antivirus software contained in a predefined list.^[1]
Mobile	T1412		Capture SMS Messages	Gustuff can intercept two-factor authentication codes transmitted via SMS.^[1]
Mobile	T1533		Data from Local System	Gustuff can capture files and photos from the compromised device.^[1]
Mobile	T1476		Deliver Malicious App via Other Means	Gustuff was distributed via SMS phishing messages to numbers exfiltrated from compromised devices’ contact lists. The phishing SMS messages are sent from the compromised device to the target device.^[1]
Mobile	T1417		Input Capture	Gustuff abuses accessibility features to intercept all interactions between a user and the device.^[1]
Mobile	T1516		Input Injection	Gustuff injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.^[1]
Mobile	T1411		Input Prompt	Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay. ^[1]^[2]
Mobile	T1406		Obfuscated Files or Information	Gustuff code is both obfuscated and packed with an FTT packer. Command information is obfuscated using a custom base85-based encoding.^[1]
Mobile	T1437		Standard Application Layer Protocol	Gustuff communicates with the command and control server using HTTP requests.^[1]
Mobile	T1508		Suppress Application Icon	Gustuff hides its icon after installation.^[2]
Mobile	T1426		System Information Discovery	Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.^[1]
Mobile	T1422		System Network Configuration Discovery	Gustuff gathers the device IMEI to send to the command and control server.^[1]

References

Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.

Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.