{"description": "Mobile techniques used by SharkBot, ATT&CK software S1055 (v1.0)", "name": "SharkBot (S1055)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1661", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) initially poses as a benign application, then malware is downloaded and executed after an application update.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android \u201cDirect Reply\u201d feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1637", "showSubtechniques": true}, {"techniqueID": "T1637.001", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.001", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1521.002", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1646", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1644", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use the \u201cDirect Reply\u201d feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1424", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1582", "comment": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device\u2019s default SMS handler.(Citation: nccgroup_sharkbot_0322)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SharkBot", "color": "#66b1ff"}]}