TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

F5 Labs Investigates MaliBot

2022-06-15 · Read original ↗

ATT&CK techniques detected

11 predictions
T1621Multi-Factor Authentication Request Generation
59%
“21 & figure 22 ). figure 21. trigger function for stealing mfa codes. figure 22. a separate trigger function for stealing mfa codes. whenever google authenticator is open, the accessibility service will run the 2fa - code stealer task, which searches for an mfa - code on screen u…”
T1556.006Multi-Factor Authentication
55%
“com / _ / lookup / accountlookup - checks if email exists - https : / / accounts. google [. ] com / _ / signin / challenge - mfa challenge page - https : / / myaccount. google [. ] com – successful login page malibot extracts the email and password entered to the webview sign - i…”
T1556.006Multi-Factor Authentication
50%
“using the accessibility service. if it detects that the victim has opened an app on the list of targets, it will set up a webview that displays an html overlay to the victim. figure 16, figure 17, and figure 18 show the app listening for specific conditions, initiating an overlay…”
T1219Remote Access Tools
44%
“to implement something akin to a vnc server which allows remote control of the victim ’ s device. the attacker is able to obtain screen captures from the victim and send input commands to the malware to perform actions. the remote control communicates with a hardcoded ip over htt…”
T1556.006Multi-Factor Authentication
43%
“against uninstallation and permissions removal by looking for specific text or labels on the screen and pressing the back button to prevent them. google ’ s 2 - step verification bypass stealing credentials is often not enough to allow an attacker to successfully log in to a vict…”
T1055.001Dynamic-link Library Injection
41%
“in the future. current malibot evasion techniques android is able to pause or kill a running service in the background if it ’ s not active or if the os needs the resources. to keep the background service of the malware alive, malibot sets itself as a launcher. every time the lau…”
T1621Multi-Factor Authentication Request Generation
34%
“against uninstallation and permissions removal by looking for specific text or labels on the screen and pressing the back button to prevent them. google ’ s 2 - step verification bypass stealing credentials is often not enough to allow an attacker to successfully log in to a vict…”
T1204.002Malicious File
34%
“example of mobile malware serves as a reminder that the attack trends du jour are never the only threat worth paying attention to. we hope the following indicators of compromise are helpful for responders in mitigating this threat. think we got something wrong? have questions for…”
T1111Multi-Factor Authentication Interception
33%
“com / _ / lookup / accountlookup - checks if email exists - https : / / accounts. google [. ] com / _ / signin / challenge - mfa challenge page - https : / / myaccount. google [. ] com – successful login page malibot extracts the email and password entered to the webview sign - i…”
T1071Application Layer Protocol
32%
“the mobile app making reverse engineering and analysis much more difficult. using the tencent packer, malibot unpacks itself by decrypting an encrypted dex file from the assets and loading it in runtime using multidex. we have a detailed analysis on the tencent packer in the “ de…”
T1111Multi-Factor Authentication Interception
31%
“21 & figure 22 ). figure 21. trigger function for stealing mfa codes. figure 22. a separate trigger function for stealing mfa codes. whenever google authenticator is open, the accessibility service will run the 2fa - code stealer task, which searches for an mfa - code on screen u…”

Summary

We found a novel malware strain that is targeting financial sites in Italy and Spain... so far.