Software | Mobile ATT&CK 14.1 → 15.0

Version 14.1 15.0

Software : Mobile ATT&CK Changelog

Added Software
Modified Software

Added Software

Description
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.^[1]^[2]^[3] References: Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.

Description

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.^[1]^[2]^[3]

References:

Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.

Description
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.^[1] References: Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.

Description

AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.^[1]

References:

Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.

Description
FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.^[1] References: Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.

Description

FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.^[1]

References:

Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.

Description
Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.^[1]^[2] References: Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War \| Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.

Description

Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.^[1]^[2]

References:

Description
HilalRAT is a remote access-capable Android malware, developed and used by UNC788.^[1] HilalRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.^[1] References: Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.

Description

HilalRAT is a remote access-capable Android malware, developed and used by UNC788.^[1] HilalRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.^[1]

References:

Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.

Modified Software

Modified Description View changes side-by-side
[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).

Modified Description View changes side-by-side

[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).

Old Description	New Description View changes inline
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. ^[1] ^[2] The Android version is tracked separately under Pegasus for Android. References: Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.	Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.^[1]^[2] The Android version is tracked separately under Pegasus for Android. References: Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.

Details

Dictionary Item Added

FIELD	OLD VALUE	NEW VALUE
x_mitre_deprecated		False

Values Changed

FIELD	OLD VALUE	NEW VALUE
modified	2022-10-24 15:09:07.609000+00:00	2024-04-06 00:01:53.588000+00:00
description	[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).	[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).
x_mitre_attack_spec_version	2.1.0	3.2.0
x_mitre_version	1.1	1.2

Modified Description View changes side-by-side
[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the device and collect information. (Citation: Lookout-EnterpriseApps) `The404Hacking` Github repository.(Citation: github_androrat)

Modified Description View changes side-by-side

[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the device and collect information. (Citation: Lookout-EnterpriseApps) `The404Hacking` Github repository.(Citation: github_androrat)

Old Description	New Description View changes inline
AndroRAT is malware that allows a third party to control the device and collect information. ^[1] References: Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.	AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.^[1]^[2]^[3] It is originally available through the `The404Hacking` Github repository.^[2] References: Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016. The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.

Details

Dictionary Item Added

FIELD	OLD VALUE	NEW VALUE
x_mitre_aliases		['AndroRAT']
x_mitre_deprecated		False
x_mitre_platforms		['Android']
external_references		https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan

Values Changed

FIELD	OLD VALUE	NEW VALUE
modified	2022-10-24 15:09:07.609000+00:00	2024-04-16 21:01:50.792000+00:00
description	[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)	[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)
external_references[1]['source_name']	AndroRAT	Forcepoint BITTER Pakistan Oct 2016
external_references[1]['description']	(Citation: Lookout-EnterpriseApps)	Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
x_mitre_attack_spec_version	2.1.0	3.2.0
x_mitre_version	1.0	1.1

Iterable Item Added

FIELD	OLD VALUE	NEW VALUE
external_references		{'source_name': 'github_androrat', 'description': 'The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024.', 'url': 'https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT'}

Description
eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.^[1] References: A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.

Description

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.^[1]

References:

A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.

Details

Dictionary Item Added

FIELD	OLD VALUE	NEW VALUE
x_mitre_deprecated		False

Values Changed

FIELD	OLD VALUE	NEW VALUE
modified	2020-09-14 15:39:17.698000+00:00	2024-03-29 15:07:58.675000+00:00
x_mitre_attack_spec_version	2.1.0	3.2.0
x_mitre_version	1.0	1.1

Version 14.1 15.0

Software : Mobile ATT&CK Changelog

Added Software

S1094

BRATA

v1.0

S1095

AhRat

v1.0

S1103

FlixOnline

v1.0

S1126

Phenakite

v1.0

S1128

HilalRAT

v1.0

Modified Software

S0289

Pegasus for iOS

v1.2

Dictionary Item Added

Values Changed

S0292

AndroRAT

v1.1

Dictionary Item Added

Values Changed

Iterable Item Added

S0507

eSurv

v1.1

Dictionary Item Added

Values Changed