Anubis
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1418 | Application Discovery |
Anubis can collect a list of installed applications to compare to a list of targeted applications.[1] |
|
| Mobile | T1616 | Call Control | ||
| Mobile | T1429 | Capture Audio | ||
| Mobile | T1532 | Data Encrypted |
Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1] |
|
| Mobile | T1471 | Data Encrypted for Impact |
Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1] |
|
| Mobile | T1533 | Data from Local System |
Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][2] |
|
| Mobile | T1475 | Deliver Malicious App via Authorized App Store | ||
| Mobile | T1476 | Deliver Malicious App via Other Means | ||
| Mobile | T1407 | Download New Code at Runtime | ||
| Mobile | T1523 | Evade Analysis Environment |
Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[2] |
|
| Mobile | T1417 | Input Capture |
Anubis has a keylogger that works in every application installed on the device.[1] |
|
| Mobile | T1411 | Input Prompt |
Anubis can create overlays to capture user credentials for targeted applications.[1] |
|
| Mobile | T1478 | Install Insecure or Malicious Configuration |
Anubis can modify administrator settings and disable Play Protect.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1444 | Masquerade as Legitimate Application |
Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[1][2] |
|
| Mobile | T1424 | Process Discovery | ||
| Mobile | T1513 | Screen Capture | ||
| Mobile | T1582 | SMS Control | ||
| Mobile | T1426 | System Information Discovery | ||
| Mobile | T1481 | Web Service |
Anubis can retrieve the C2 address from Twitter and Telegram.[1][2] |
|