Exobot
ID: S0522
ⓘ
Associated Software: Marcher
ⓘ
Type: MALWARE
ⓘ
Platforms: Android
Version: 1.0
Created: 29 October 2020
Last Modified: 07 December 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions | |
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols | |
| Mobile | T1642 | Endpoint Denial of Service |
Exobot can lock the device with a password and permanently disable the screen.[1] |
|
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
Exobot has registered to receive the |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
Exobot has used web injects to capture users’ credentials.[1] |
| .002 | Input Capture: GUI Input Capture |
Exobot can show phishing popups when a targeted application is running.[1] |
||
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location | |
| Mobile | T1636 | .003 | Protected User Data: Contact List | |
| .004 | Protected User Data: SMS Messages | |||
| Mobile | T1604 | Proxy Through Victim |
Exobot can open a SOCKS proxy connection through the compromised device.[1] |
|
| Mobile | T1582 | SMS Control | ||
| Mobile | T1418 | .001 | Software Discovery: Security Software Discovery |
Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.[1] |
| Mobile | T1426 | System Information Discovery | ||
| Mobile | T1422 | System Network Configuration Discovery |
Exobot can obtain the device’s IMEI, phone number, and IP address.[1] |
|
| .001 | Internet Connection Discovery |
Exobot can obtain the device’s IMEI, phone number, and IP address.[1] |
||