TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

2017-04-07 · Read original ↗

ATT&CK techniques detected

8 predictions
T1566.002Spearphishing Link
91%
“go after specific banks in specific countries. figure 7 : targeted banks by country several banking groups were targeted across multiple countries, including the ing group in austria, australia, france, and germany ; the santander group across europe and latin america ; and the s…”
T1071.001Web Protocols
43%
“c servers detected, 63 % of which were using https. while monitoring marcher activity in march, f5 researchers shut down 12 malicious c & c servers that were detected. table 1 : c & c servers and their statuses, march 2017 the 12 c & c servers that f5 shut down in march were asso…”
T1566.001Spearphishing Attachment
40%
“##fe20958ef8 e0f90024e869c0be81dae0e0d52561437ae25d695f49e305f74e8ae5573348a8 fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d 2181f303b09f7ece1a5b81563a4d19282b1b438887f033fd294f57b7c653402a”
T1566.001Spearphishing Attachment
37%
“##30079efb55f5603644f4b077b47439d2bdf11a233dadece2 4035c73e7315fb639423bc4fa85a7573156f1af46f91f64ed009c9fd2905707b 664b9c7ba34172320279bd9425ad3d8103a50dae8da3183995360ffc7fb4a0f4 069ad1b7b097f6337fc140100ef1a5d12ad45fb55daabe78104eef966ea835be 5bf7648743c0ff2207c5653b12f077f9d6…”
T1071Application Layer Protocol
35%
“##f62f9401c9aef9c7e694535d63a2783c35912c223a1 e9de0585f79751934f318d46e39afd0e637b8fb8a1907831c6d6d6419743b005 2b7b451ee7c6dbc17ade7cdc3809c3dada62a768ff508dcdcbce7242522bbcd9 6d4f7e809d6244ceea7af371da0e6afa55d8c50ebc865631c31d63f192be9d63 5b69b81fbad1ad3884644ed0fd1dcc055bc66ec…”
T1657Financial Theft
34%
“marcher gets close to users by targeting mobile banking, android apps, social media, and email introduction marcher is an android banking trojan, first detected in 2013, that continually evolves to stay active. the longevity and evolution of this malware is not surprising, given …”
T1564.004NTFS File Attributes
33%
“##f 1a4db763b7a6a98052bc3061b4c2b8acbae80c99e7cedbfb94a1ce80ea9a2a54 264dadb980594e63903f8720764eda8e8e70ea6c5976ada254f10ade9ca9348d f069dd55f4efe75bd8ef8e878d3e819e8b44fc54c68c302a85f253ca1a3fdf07 2e387790a2260346b6b7c859e88a36c7a61eba3779f51a145ff084fee89553c8 2b2617c3b860e332…”
T1566.002Spearphishing Link
30%
“were email providers like yahoo and gmail, social network and messaging apps like facebook, viber, and whatsapp, and gumtree, an australian online classified ad app. figure 5 : marcher targets by industry most of marcher ’ s domain targets are google play store links where custom…”

Summary

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.