1. Home
  2. Techniques
  3. Mobile
  4. Alternate Network Mediums

Alternate Network Mediums

Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.

ID: T1438
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-30
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

ID Name Description
S0304 Android/Chuli.A

Android/Chuli.A used SMS to receive command and control messages.[1]
S0655 BusyGasper

BusyGasper can download text files with commands from an FTP server and exfiltrate data via email. It can also perform actions when one of two hardcoded magic SMS strings is received.[2]
S0529 CarbonSteal

CarbonSteal has used specially crafted SMS messages to control the target device.[3]

S0505 Desert Scorpion

Desert Scorpion can be controlled using SMS messages.[4]
S0406 Gustuff

Gustuff can use SMS for command and control from a defined admin phone number.[5]

S0407 Monokle

Monokle can be controlled via email and SMS from a set of "control phones."[6]
S0316 Pegasus for Android

Pegasus for Android uses SMS for command and control.[7]
S0289 Pegasus for iOS

Pegasus for iOS uses SMS for command and control.[8]
S0295 RCSAndroid

RCSAndroid can use SMS for command and control.[9]
S0411 Rotexy

Rotexy can be controlled through SMS messages.[10]
S0327 Skygofree

Skygofree can be controlled via binary SMS.[11]
S0324 SpyDealer

SpyDealer enables remote control of the victim through SMS channels.[12]
S0328 Stealth Mango

Stealth Mango uses commands received from text messages for C2.[13]
S0427 TrickMo

TrickMo can be controlled via encrypted SMS message.[14]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

  1. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  2. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  5. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  6. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  7. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
  1. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  2. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  3. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  4. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
  5. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  6. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  7. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.