Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine.Desert Scorpion is suspected to have been operated by the threat actorAPT-C-23.[1]
There are multiple close variants ofDesert Scorpion, such as VAMP[2], GnatSpy[3],FrozenCell andSpyC23, which add some additional functionality but are not significantly different from the original malware.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1532 | Archive Collected Data | Desert Scorpion can encrypt exfiltrated data.[1] | |
| Mobile | T1429 | Audio Capture | Desert Scorpion can record audio from phone calls and the device microphone.[1] | |
| Mobile | T1533 | Data from Local System | Desert Scorpion can collect attacker-specified files, including files located on external storage.[1] | |
| Mobile | T1407 | Download New Code at Runtime | Desert Scorpion has been distributed in multiple stages.[1] | |
| Mobile | T1420 | File and Directory Discovery | Desert Scorpion can list files stored on external storage.[1] | |
| Mobile | T1628 | .001 | Hide Artifacts:Suppress Application Icon | Desert Scorpion can hide its icon.[1] |
| Mobile | T1630 | .002 | Indicator Removal on Host:File Deletion | Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1] |
| Mobile | T1430 | Location Tracking | Desert Scorpion can track the device’s location.[1] | |
| Mobile | T1644 | Out of Band Data | Desert Scorpion can be controlled using SMS messages.[1] | |
| Mobile | T1636 | .003 | Protected User Data:Contact List | Desert Scorpion can collect the device’s contact list.[1] |
| .004 | Protected User Data:SMS Messages | Desert Scorpion can retrieve SMS messages.[1] | ||
| Mobile | T1582 | SMS Control | Desert Scorpion can send SMS messages.[1] | |
| Mobile | T1418 | Software Discovery | Desert Scorpion can obtain a list of installed applications.[1] | |
| Mobile | T1409 | Stored Application Data | Desert Scorpion can collect account information stored on the device.[1] | |
| Mobile | T1632 | .001 | Subvert Trust Controls:Code Signing Policy Modification | If running on a Huawei device,Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1] |
| Mobile | T1426 | System Information Discovery | Desert Scorpion can collect device metadata and can check if the device is rooted.[1] | |
| Mobile | T1512 | Video Capture | Desert Scorpion can record videos.[1] | |
Groups That Use This Software
References
- A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
- Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.