{"description": "Mobile techniques used by EventBot, ATT&CK software S0478 (v1.0)", "name": "EventBot (S0478)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1407", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422.001", "comment": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by EventBot", "color": "#66b1ff"}]}