ISN 1903-GROUP ASSIGNMENT- LAB ASSIGNMENT 1

Research on
Mobile malware research based on MITRE ATT & CK framework.
Submitted to: Saikat Asaduzzaman
Date of submission:24nd July 2023, Monday
Group name: Delta Force
Group Members

Ronald John Guzman C0893664

Tanzimul Haque C0895707
Dumkelechukwu Jerry-Okoro C0890899
Kamal Kalra C0892848
Thazni Kassim C0895117
Dixa Kathiriya C0892073
 Table of Contents

Introduction .................................................................................... 3
1.What is MITRE ATT & CK framework ........................................ 3
2. What are Techniques, Tactics and Procedures in MITRE
ATT&CK framework? ..................................................................... 4
3. What is pyramid of pain? Why hunting in the pyramid of pain
is always rewarding? ..................................................................... 7
4. mobile malwares of different attack methodologies
(according to MITRE) and explain how they work, which mobile
platform and what are the mitigation strategies? ..................... 10
1. TianySpy ................................................................................ 10
2. AbstractEmu.......................................................................... 13
3. Agent Smith ........................................................................... 15
Conclusion ................................................................................... 18
References ................................................................................... 19
 Introduction

Popular techniques in the realm of cybersecurity are the Cyber Kill Chain
(CK) framework and MITRE ATT&CK (Adversarial Tactics, Techniques,
and Common Knowledge). These frameworks offer useful information for
comprehending, evaluating, and defending against cyber dangers and
attacks. They help cybersecurity experts improve their defence plans by
providing a methodical approach to understanding the strategies and
tactics used by adversaries. In this conversation, we'll examine the salient
characteristics and advantages of the Cyber Kill Chain framework as well
as MITRE ATT&CK.

1.What is MITRE ATT & CK framework

Various adversary tactics, methods, and procedures (TTPs) employed

during cyberattacks are categorized and described in the MITRE ATT&CK
framework, a thorough knowledge base. ATT&CK is an acronym for
"Adversarial Tactics, Techniques & Common Knowledge." (“What is Mitre
Att&CK Framework & How is it Useful? | Fortinet”) It was created by MITRE
Corporation, a nonprofit company that attempts to address a range of
technical issues, including cybersecurity.
The framework is intended to offer a common language and framework
for comprehending and debating cyberthreats. It describes a wide range
of strategies that attackers may use throughout a cyberattack, from early
reconnaissance to gaining illegal access, lateral movement within a and
network, and eventually achieving their goals, such as data exfiltration or
system compromise.
Each matrix in the ATT&CK structure focuses on a certain platform or
technology, such as windows, MacOS, Linux, or mobile devices. There are
various categories that group related attack strategies in each matrix. The
topics covered by these categories include initial access, persistence,
privilege escalation, defence evasion, discovery, lateral movement,
exfiltration, and more.
Cybersecurity experts may more fully comprehend the tactics and
tendencies of their enemies, foresee possible attack vectors, and create
more potent defensive solutions by utilizing the ATT&CK framework. Red
teaming, planning incident responses, threat modelling, and enhancing
astur overall security posture are all made easier with its help.
The MITRE team works together with the cybersecurity community to
update the framework on a regular basis, including fresh threat
information and practical observations to make sure it remains relevant
and effective in fending off new cyber-attacks.

2. What are Techniques, Tactics and Procedures in MITRE

ATT&CK framework?
Techniques, Tactics, and Procedures (TTPs) are essential elements in the
MITRE ATT&CK architecture and are used to classify and characterise the
numerous actions and procedures that adversaries utilise during
cyberattacks. The framework is designed to offer a thorough and
organised approach of comprehending the many phases and methods
employed by threat actors to accomplish their goals.
1. Techniques: The various tactics or methods that adversaries utilise
to carry out their nefarious deeds are represented as techniques in
the MITRE ATT&CK architecture. Each tactic has a distinct
objective, including initial access, execution, persistence, privilege
escalation, defence evasion, credential access, discovery, lateral
movement, collection, exfiltration, and impact. The methods offer
profound perceptions into the goals and general strategy of the
enemy's attack.
Example: Using the "Spear phishing Attachment" method, for
instance, users are tricked into opening the attachment and running
the hidden payload by receiving emails with malicious attachments
that are sent to them specifically.
2. Tactics: Based on the aim or goal the enemy is trying to accomplish;
tactics are broad categories that group related strategies. There are
now 12 techniques in the MITRE ATT&CK architecture, which reflect
typical stages of a cyberattack. These strategies offer a means to
categorise and comprehend the techniques in a certain situation.
Example: "Execution" - This strategy includes methods for running
malicious programmes on a target system, such as launching a
payload to acquire access to the system.
 3. Procedures: These are concrete instances or examples from the
real world of how adversaries use a certain tactic. They depict the
detailed procedures and methods that threat actors employ during
a real assault. Procedures frequently relate to threat groups or
campaigns and give defenders useful knowledge about how
attackers operate.
Example: "APT28 PowerShell Bypass" is an example process that
describes the steps the APT28 threat organisation used to get
around security precautions using PowerShell-based methods.

The MITRE ATT&CK framework offers a precise and systematic method

for the cybersecurity community to comprehend and efficiently address
actual cyber threats by classifying cyberthreats into Techniques, Tactics,
and Procedures. To design focused mitigation measures against certain
TTPs employed by threat actors, it aids organisations in identifying
possible gaps in their defences.
3. What is pyramid of pain? Why hunting in the pyramid of pain
is always rewarding?

The idea of the "Pyramid of Pain" in cybersecurity is used to group signs,

artefacts, or observables left behind by threat actors during cyberattacks
according to how difficult they are for defenders to find, understand, and
fix. Security researcher David Bianco first proposed the idea in 2013, and
it has since developed into a helpful framework for comprehending the
hierarchy of cyber threat indicators.
Most commonly, the Pyramid of Pain is shown as a pyramid with three
primary layers:
The Pyramid of Pain is typically represented as a pyramid with three main
layers:
1. Bottom Layer (Easy): This layer contains signs that are quite simple
for defences to find and fix. These indications include well-known
and often utilised ones like IP addresses, domain names, file
hashes, and easy patterns. They are swiftly inhibited or neutralised,
and they are easily accessible.
2. Middle Layer (Medium): More difficult to find and analyse signs are
present in the middle layer. These signs could entail more intricate
patterns, particular behaviours, or ways that call for more advanced
detection procedures. To successfully resolve them might need
additional time and effort.
3. Top Layer (Hard): The most challenging signs are found in the top
layer. These signs are connected to sophisticated, covert, and
stealthy methods utilised by expert threat actors. They are
exceedingly difficult to identify and remediate because they
frequently utilise specialised tools, zero-day vulnerabilities, and
other extremely advanced techniques.
Level Description Examples
Indicators of Basic, easily changeable - IP addresses
Compromise indicators left by - Domain names
adversaries during - File hashes
attacks. - Email addresses
Tactics, Techniques, and Specific techniques and - Phishing
Procedures procedures used by - Remote Code Execution
attackers during their - Lateral Movement
campaigns. - Privilege Escalation
Infrastructure The infrastructure utilized - C2 server IP addresses
by adversaries, including - Hosting providers used
hosting providers and C2 for attacks
servers.

Tools The actual tools and - Custom-made malware-

malware employed by Known malicious tools
adversaries in their
attacks.
 Techniques and Fundamental attacker - Code Injection
Procedures with Noisy behaviours that are - Credential Dumping
Countermeasures harder to modify, and - Process Hollowing
defending against them
often requires more
comprehensive security
measures.

Hunting on the Pyramid of Pain is usually lucrative since concentrating

on its upper levels enables defenders to take out more knowledgeable
and tenacious foes. Here are several advantages of hunting in the top
layers:
1. Advanced Adversary Detection: Threat actors that use the top-layer
approaches are frequently knowledgeable and clever. Security
teams may learn more about the presence of sophisticated
adversaries and APTs (sophisticated Persistent Threats) by
recognising these indications.
2. Defense Evasion Identification: Top-layer indications are frequently
examples of sophisticated evasion strategies employed by
attackers to get around established security protocols. Finding
these signs will help you develop more effective defence evasion
techniques.
3. Proactive Security: Organisations can take a proactive security
approach by looking in the top levels. To lessen the impact of
cyberattacks, advanced threats must be identified and mitigated
before they can do any harm.
4. Enhanced Threat Intelligence: Security teams may better
understand adversary tactics, methods, and procedures (TTPs) and
stay ahead of new risks by gathering information on top layer
indications.
5. Higher Impact Mitigation: Addressing top-layer indicators can have
a bigger impact on risk reduction and improving an organization's
general security posture.
For advanced threat identification, hunting in the Pyramid of Pain is
necessary, but it's also critical to handle signs in all tiers. To provide a
strong defence against a variety of threats and adversaries, a
comprehensive cybersecurity plan should address all levels of the
pyramid.

4. mobile malwares of different attack methodologies

(according to MITRE) and explain how they work, which mobile
platform and what are the mitigation strategies?
1. TianySpy
Between September 30 and October 12, 2021, SMS phishing was the main
method used to transmit TianySpy, a mobile malware. It is thought that
TianySpy has targeted credentials linked to membership websites of
significant Japanese telecommunications services.

A link to a malicious website is included in the smishing message, which

was presented as originating from a telecommunications provider. The
website then provides instructions for installing malware that seems to
be security software. Two patterns of the way the campaign's message
were conveyed were verified by Trend Micro:

➢ In the first pattern, the SMS is sent from a malicious SMS delivery
service: (In English, reads as follows: “Unauthorized access to your
account detected. Please confirm.”)
"TianySpy was confirmed to be infected in cases where users
accessed the malicious link from both Android and iPhone devices."
(“TianySpy Malware Uses Smishing Disguised as Message from
Telco”)
➢ In the second pattern, the SMS is potentially sent from devices
infected by “AndroidOS_KeepSpy.GCL,” an Android malware: (In
English, reads as follows: “Your payment could not be confirmed.
Please confirm.”)
Users of Android devices were lured into accessing the malicious
link, resulting in their devices being infected with KeepSpy. "In the
same pattern, users of iPhones who accessed the malicious link
were infected with the version of TianySpy for their device."
(“TianySpy Malware Uses Smishing Disguised as Message from
Telco”)
An iPhone's configuration profile function allows you to specify
configuration for a few different features, including the Wi-Fi setting. In
this campaign, users were tricked into accessing a link in a smishing
message delivered to their iPhone, downloading, and installing a
malicious configuration profile. The installation of the malicious
configuration profile results in the transmission of device data, including
the Unique Device Identifier (UDID), to the attacker's website, according to
Trend Micro research.

"The sent UDID is then used in a provisioning profile, which has TianySpy
built in. This enables TianySpy to infect an iPhone through Ad Hoc
distribution, which is usually used to deploy an application in its
development stage." (“TianySpy Malware Uses Smishing Disguised as
Message from Telco”)

Malware analysis

From the results of the analysis of TianySpy (Android version), it was

determined that the malware has the following functions:

1. Reading Wi-Fi settings

2. Falsifying a legitimate telecommunication company’s site,
specifically its usage statement via WebView (via Application Web
display system for Android)
3. Information stealing through a malicious JavaScript.
4. Sending stolen data by mail
5. Displaying a malicious or fake site
If Wi-Fi is activated, TianySpy first checks the settings and then displays
an alert message urging the user to disable Wi-Fi. An authentication page
is displayed if Wi-Fi is deactivated, and the attacker's email address is sent
with credential information and authorized cookies. Authentication is
necessary before showing the usage statement page. The Wi-Fi is
probably turned off during this phase since the attacker intends to get
credentials via a carrier network.

The TianySpy app for iPhone shares many features with the Android
version, including encrypted strings including stop.html, the attacker's
email address, and the URL of the website's usage statement. As a result,
it is very possible that the iPhone version of TianySpy will steal credentials
and transfer them to the attacker.

Mitigation / Protection from phishing and smishing

With the first case in Japan where a type of malware that targets iPhones
resulted in financial damage, campaign shows that iPhones can indeed
be infected by malware once a malicious configuration profile is installed.
This case also confirmed that simply accessing a malicious website
would not inevitably infect a device with malware. Rather, a user must
complete the process of installing the malware for infection to take place.
This means that with enough knowledge and caution, a user can protect
their device from infection.

"Smishing continues to be part of this loop of attack chains targeting

smartphones." (“TianySpy Malware Uses Smishing Disguised as Message
from Telco”) In the meantime, Japan Cybercrime Control Center (JC3)
continues to publish alert notifications about the same campaign.

Mitre Attack Techniques used:

Domain ID Name Use
Mobile T1623 Command and Scripting TianySpy can steal information
Interpreter via malicious JavaScript
Mobile T1639 Exfiltration Over "TianySpy can exfiltrate collected
Alternative Protocol user data, including credentials
and authorized cookies, via
email." (“Exfiltration Over
Alternative Protocol - MITRE
ATT&CK®”)
Mobile T1417 Input Capture: GUI Input TianySpy can utilize WebViews to
(.002) Capture display fake authentication
pages that capture user
credentials.
Mobile T1406 Obfuscated Files or TianySpy has encrypted C2
Information details, email addresses, and
passwords.
Mobile T1632 Subvert Trust Controls: TianySpy can install malicious
(.001) Code Signing Policy configurations on iPhones to
Modification allow malware to be installed via
Ad Hoc distribution.
Mobile T1426 System Information TianySpy can gather device
Discovery UDIDs.
Mobile T1422 System Network TianySpy can check to see if Wi-
Configuration Discovery Fi is enabled.

2. AbstractEmu
The mobile malware known as AbstractEmu was first discovered in
October 2021 on Google Play and other third-party marketplaces. It was
found in 19 Android applications, at least 7 of which leveraged well-known
Android exploits to gain root access. AbstractEmu was shown to affect
users mostly in the United States, but it is believed that victims are spread
throughout a total of 17 countries.

A new rooting malware was discovered by security researchers at the

Lookout Threat Lab and is being sold on Google Play and well-known third-
party retailers including the Amazon Appstore and Samsung Galaxy Store.

The malware "AbstractEmu" got its name because it used anti-emulation

checks and code abstraction to avoid operating while being analyzed.
Seven of the 19 related programs that were found—including one on Play
with more over 10,000 downloads—contain rooting functionality.

Malware rooting is extremely risky despite being rare. The threat actor
might discreetly grant themselves risky rights or install more malware by
leveraging the rooting procedure to acquire privileged access to the
Android operating system, actions that would typically require user
engagement. Additionally, elevated rights allow the malware to access
sensitive data from other apps, which is otherwise impossible.

Mitigation / Prevention

1. Google promptly removed the app as soon as they were notified of

the malware.
2. Always keep your OS up to date
3. "Rooting Android or jailbreaking iOS devices are still the most
invasive ways to fully compromise a mobile device." (“Rooting
Malware Makes a Comeback: Lookout Discovers Global Campaign”)
4. Downloading apps from official stores only
5. Exercise caution when installing unknown apps.
 6. Dedicated mobile security software to secure against all mobile
threats, including phishing, OS and app vulnerabilities, malware, and
network threats.

Mitre Attack Techniques used:

Domain ID Name Use
Mobile T1517 Access Notifications AbstractEmu can monitor
notifications.
Mobile T1437 Application Layer AbstractEmu can use HTTP to
(.001) Protocol: Web Protocols communicate with the C2 server.
Mobile T1429 Audio Capture AbstractEmu can grant itself
microphone permissions.
Mobile T1623 Command and Scripting "AbstractEmu has included
(.001) Interpreter: Unix Shell encoded shell scripts to
potentially aid in the rooting
process." (“AbstractEmu,
Software S1061 | MITRE
ATT&CK®”)
Mobile T1533 Data from Local System "AbstractEmu can collect files
from or inspect the device’s
filesystem." (“Data from Local
System, Technique T1533 -
Mobile | MITRE ATT&CK®”)[1]
Mobile T1407 Download New Code at AbstractEmu can download and
Runtime install additional malware after
initial infection.
Mobile T1646 Exfiltration Over C2 "AbstractEmu can send large
Channel amounts of device data over its
C2 channel, including the
device’s manufacturer, model,
version and serial number,
telephone number, and IP
address." (“Exfiltration Over C2
Channel, Technique T1646 -
Mobile - MITRE ATT&CK®”)
Mobile T1404 Exploitation for Privilege AbstractEmu can use rooting
Escalation exploits to silently give itself
permissions or install additional
malware.
Mobile T1629 Impair Defenses: Disable AbstractEmu can disable Play
.003 or Modify Tools Protect.
Mobile T1544 Ingress Tool Transfer AbstractEmu can receive files
from the C2 at runtime.
Mobile T1430 Location Tracking AbstractEmu can access a
device's location.
Mobile T1406 Obfuscated Files or "AbstractEmu has encoded files,
Information such as exploit binaries, to
potentially use during and after
the rooting process."
(“Obfuscated Files or
Information, Technique T1406 -
MITRE ATT&CK®”)
Mobile T1636 Protected User Data: Call AbstractEmu can access device
(.002) Log call logs.
Mobile T1636 Protected User AbstractEmu can grant itself
(.003) Data: Contact List contact list access.
Mobile T1636 Protected User Data: SMS "AbstractEmu can intercept SMS
((.004) Messages messages containing two factor
authentication codes."
(“AbstractEmu, Software S1061 |
MITRE ATT&CK®”)
Mobile T1418 Software Discovery AbstractEmu can obtain a list of
installed applications.[1]
Mobile T1426 System Information "AbstractEmu can collect device
Discovery information such as
manufacturer, model, version,
serial number, and telephone
number." (“AbstractEmu,
Software S1061 | MITRE
ATT&CK®”) [1]

Mobile T1422 System Network AbstractEmu can collect device

Configuration Discovery IP address and SIM
information. [1]

Mobile T1512 Video Capture AbstractEmu can grant itself

camera permissions.[1]
Mobile T1633 Virtualization/Sandbox AbstractEmu has used code
Evasion abstraction and anti-emulation
checks to potentially avoid
running while under analysis.[1]
Mobile T1633 System Checks "AbstractEmu can check device
(.004) system properties to potentially
avoid running while under
analysis."
(“Virtualization/Sandbox
Evasion: - MITRE ATT&CK®”)[1]

3. Agent Smith
Agent Smith is a type of mobile malware that makes money by replacing
trustworthy apps on smartphones with malicious versions that include
fraudulent ads. Agent Smith, which predominantly targeted India as of
July 2019, had infected about 25 million devices. Saudi Arabia, the United
Kingdom, and the United States were also affected, as were other Asian
countries.

Approximately 25 million devices have lately been silently infected by a

new form of mobile malware, quietly and without the user's knowledge,
according to Check Point researchers. The malware's main component,
which is disguised as a Google-related app, uses several known Android
security flaws to automatically replace installed apps on the device with
malicious ones without the user's involvement. Check Point Researchers
gave this malware the nickname "Agent Smith" because of its distinct just-
in-time (JIT) on-device strategy.

Agent Smith displays false advertisements for financial benefit by using

its extensive access to the device's resources. This action is like earlier
campaigns like CopyCat, HummingBad, and Gooligan. While other Asian
nations like Pakistan and Bangladesh are also impacted, the main targets
to date are headquartered in India.

Mitigation / Prevention

1. Check Point Research has provided data to Google and law

enforcement agencies. As a result, it has tentatively redacted
material pertaining to the harmful actor.
2. Since Check Point and Google collaborated closely, there are no
malicious apps on the Play Store as of the time of publication.
3. Attention and action from system developers, device
manufacturers, app developers, and users, so that vulnerability
fixes are patched, distributed, adopted, and installed in time.
(“‘Agent Smith’ malware replaces legit Android apps with fake ...
- TNW”)
4. Organizations and consumers alike should have an advanced
mobile threat prevention solution installed on the device to
protect themselves against the possibility of unknowingly
installing malicious apps, even from trusted app stores.
Mitre Attack Techniques used:
Domain ID Name Use
Mobile T1577 Compromise Application "Agent Smith can inject
Executable fraudulent ad modules into
existing applications on a
device." (“Agent Smith,
Software S0440 | MITRE
ATT&CK®”)
Mobile T1404 Exploitation for Privilege "Agent Smith exploits known
Escalation OS vulnerabilities, including
Janus, to replace legitimate
applications with malicious
versions." (“Agent Smith,
Software S0440 | MITRE
ATT&CK®”)
Mobile T1643 Generate Traffic from Agent Smith shows fraudulent
Victim ads to generate revenue.
Mobile T1628 Hide Artifacts: Suppress "Agent Smith can hide its icon
(.001) Application Icon from the application launcher"
(“Agent Smith, Software S0440
| MITRE ATT&CK®”)
Mobile T1630 Indicator Removal on "Agent Smith deletes infected
(.002) Host: File Deletion applications’ update packages
when they are detected on the
system, preventing updates."
(“Agent Smith, Software S0440
| MITRE ATT&CK®”)
Mobile T1406 Obfuscated Files or Agent Smith’s core malware is
(.001) Information: Steganography disguised as a JPG file and
encrypted with an XOR cipher.
Mobile T1424 Process Discovery "Agent Smith checks if a
targeted application is running
in user-space prior to
infection." (“Agent Smith,
Software S0440 | MITRE
ATT&CK®”)
Mobile T1418 Software Discovery Agent Smith obtains the
device’s application list.
 Conclusion

The Cyber Kill Chain and the MITRE ATT&CK architecture offer important
insights into cyber dangers and how attackers work. The CKC focuses on
the phases of an assault and the opportunities for intervention, whereas
ATT&CK delves into adversary behaviours and strategies. Organisations
frequently combine the two frameworks to strengthen their security
posture and incident response capabilities. Security teams may more
efficiently identify, stop, and react to cyber threats by utilising these
frameworks. Remember that the cybersecurity industry is continuously
changing, so it's important to keep up with any new innovations and
frameworks that might appear after September 2021, when my
knowledge of them expires.
 References

https://attack.mitre.org/

https://github.com/mitre/cti

https://github.com/mitre-attack/attack-

arsenal/blob/main/adversary_emulation/Apt29_Leveraging_Security_Cameras.yml

What is Mitre Att&CK Framework & How is it Useful? | Fortinet,

https://www.fortinet.com/resources/cyberglossary/mitre-attck.

David Bianco's blog post "Introducing the Pyramid of Pain":

https://detectrespond.blogspot.com/2013/03/introducing-pyramid-of-pain.html

A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A
New Species of Mobile Malware. Retrieved May 7, 2020.

https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

https://attack.mitre.org/versions/v13/software/S0440/

P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout
Discovers Global Campaign. Retrieved February 6, 2023.

https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign

https://attack.mitre.org/versions/v13/software/S1061/

Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message
from Telco. Retrieved January 11, 2023.

https://www.trendmicro.com/en_ca/research/22/a/tianyspy-malware-uses-smishing-
disguised-as-message-from-telco.html

https://attack.mitre.org/versions/v13/software/S1056/