CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1605 | Command-Line Interface |
CHEMISTGAMES can run bash commands.[1] |
|
| Mobile | T1533 | Data from Local System |
CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.[1] |
|
| Mobile | T1475 | Deliver Malicious App via Authorized App Store |
CHEMISTGAMES has been distributed via the Google Play Store.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
CHEMISTGAMES can download new modules while running.[1] |
|
| Mobile | T1430 | Location Tracking |
CHEMISTGAMES has collected the device’s location.[1] |
|
| Mobile | T1444 | Masquerade as Legitimate Application |
CHEMISTGAMES has masqueraded as popular South Korean applications.[1] |
|
| Mobile | T1575 | Native Code |
CHEMISTGAMES has utilized native code to decrypt its malicious payload.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
CHEMISTGAMES has encrypted its DEX payload.[1] |
|
| Mobile | T1437 | Standard Application Layer Protocol |
CHEMISTGAMES has used HTTPS for C2 communication.[1] |
|
| Mobile | T1521 | Standard Cryptographic Protocol |
CHEMISTGAMES has used HTTPS for C2 communication.[1] |
|
| Mobile | T1474 | Supply Chain Compromise |
CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[1] |
|
| Mobile | T1426 | System Information Discovery |
CHEMISTGAMES has fingerprinted devices to uniquely identify them.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |