Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]
There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1532 | Archive Collected Data |
Desert Scorpion can encrypt exfiltrated data.[1] |
|
| Mobile | T1429 | Audio Capture |
Desert Scorpion can record audio from phone calls and the device microphone.[1] |
|
| Mobile | T1533 | Data from Local System |
Desert Scorpion can collect attacker-specified files, including files located on external storage.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
Desert Scorpion has been distributed in multiple stages.[1] |
|
| Mobile | T1420 | File and Directory Discovery |
Desert Scorpion can list files stored on external storage.[1] |
|
| Mobile | T1628 | .001 | Hide Artifacts: Suppress Application Icon |
Desert Scorpion can hide its icon.[1] |
| Mobile | T1630 | .002 | Indicator Removal on Host: File Deletion |
Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1] |
| Mobile | T1430 | Location Tracking |
Desert Scorpion can track the device’s location.[1] |
|
| Mobile | T1644 | Out of Band Data |
Desert Scorpion can be controlled using SMS messages.[1] |
|
| Mobile | T1636 | .003 | Protected User Data: Contact List |
Desert Scorpion can collect the device’s contact list.[1] |
| .004 | Protected User Data: SMS Messages |
Desert Scorpion can retrieve SMS messages.[1] |
||
| Mobile | T1582 | SMS Control |
Desert Scorpion can send SMS messages.[1] |
|
| Mobile | T1418 | Software Discovery |
Desert Scorpion can obtain a list of installed applications.[1] |
|
| Mobile | T1409 | Stored Application Data |
Desert Scorpion can collect account information stored on the device.[1] |
|
| Mobile | T1632 | .001 | Subvert Trust Controls: Code Signing Policy Modification |
If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1] |
| Mobile | T1426 | System Information Discovery |
Desert Scorpion can collect device metadata and can check if the device is rooted.[1] |
|
| Mobile | T1512 | Video Capture |
Desert Scorpion can record videos.[1] |
|
Groups That Use This Software
References
- A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
- Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.