Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

From MITRE ATT&CKcon Power Hour November 2020

By Allie Mellen, Security Strategist, Office of the CSO, Cybereason

In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile.

One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

  • Be the first to comment

  • Be the first to like this

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

  1. 1. Confidential Mapping the EventBot Mobile Banking Trojan with MITRE ATT&CK for Mobile Allie Mellen, Security Strategist, Office of the CSO
  2. 2. WHO AM I? ALLIE MELLEN Security Strategist Office of the CSO, Cybereason
  3. 3. Why MITRE ATT&CK? Cybereason Nocturnus Mobile Malware Research Aligning to MITRE ATT&CK For Mobile How This Drives Future Alignment AGENDA
  4. 4. Classification Purple Teaming Knowledge Sharing Community Internally Partners Customers Business WHY MAP TO MITRE ATT&CK?
  5. 5. Innovative Approach Important Target Clarity Communicate Value WHY MAP TO MITRE ATT&CK FOR MOBILE?
  6. 6. THREAT TYPE Banking Trojan NOCTURNUS RESEARCH: EVENTBOT TARGET INDUSTRY Financial ATTACK GOAL User Data IMPACTED GEO USA & Europe
  7. 7. EVENTBOT TARGETS: RECOGNIZE ANY OF THESE? EVENTBOT TARGETS:
  8. 8. INITIAL ACCESS PERSISTENCE DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY COLLECTION EXFILTRATION C2 T1476: Deliver Malicious App via Other Means T1402: App Auto- Start at Device Boot T1444: Masquerade as Legitimate Application T1412: Capture SMS Messages T1418: Application Discovery T1056: Input Capture T1532: Data Encrypted T1521: Standard Cryptographic Protocol T1461: Lockscreen Bypass T1508: Suppress Application Icon T1417: Input Capture T1426: System Information Discovery T1413: Access Sensitive Data in Device Logs T1437: Standard Application Layer Protocol T1407: Download New Code at Runtime T1409: Access Stored Application Data T1516: Input Injection MITRE ATT&CK FOR MOBILE TECHNIQUES
  9. 9. NOCTURNUS RESEARCH: EVENTBOT Unsuspecting User Downloads Application Masquerading as Legitimate INITIAL ACCESS CONTROL Gets Control of Accessibility Features, Begins to Run in the Background Collects Reconnaissance Information Like Device Info and the Names of Android Packages DISCOVERY COLLECTION Tracks the Device PIN and Collects Financial Information, Personal Data, Keystrokes, and Passwords Exfiltrates Collected Data to its C2 Server EXFILTRATION BYPASS Steals SMS Messages to Bypass 2FA

×