GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware

MITRE Techniques

• [T1660 ] Phishing – Malware is distributed via Smishing; “malware distributed via Smishing” quoted from the article.
• [T1575 ] Native API – Malware uses native code to drop a payload; “samples load and execute a .so library … resolved and invoked at runtime via JNI” quoted from the article.
• [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware pretending to be a genuine application; “impersonates RTO applications” quoted from the article.
• [T1406.002 ] Obfuscated Files or Information: Software Packing – Malware uses a native packer; “samples … were observed using a native library to install the final payload” quoted from the article.
• [T1633 ] Virtualization/Sandbox Evasion – Malware implemented an anti-emulation check; “performs an anti-emulation check by validating the device’s architecture and manufacturer” quoted from the article.
• [T1426 ] System Information Discovery – Malware collects device information; “validating the device’s architecture and manufacturer” quoted from the article.
• [T1636.004 ] Protected User Data: SMS Messages – Collects SMSs; “All SMS messages containing banking-related keywords are exfiltrated” quoted from the article.
• [T1437.001 ] Application Layer Protocol: Web Protocols – Malware uses FCM for C&C communication; “Malware uses FCM for C&C communication” quoted from the article.
• [T1646 ] Exfiltration Over C2 Channel – Sending exfiltrated data over the C&C server; “sending matches to its C2 server” quoted from the article.
• [T1582 ] SMS Control – Malware can send SMSs; “incoming SMS messages may be forwarded or uploaded … for OTP harvesting” quoted from the article.