Incident Score: Analysis & Impact (GOO1772490314)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (95%), supported by evidence indicating a recent phishing campaign is impersonating Google’s security infrastructure and Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating trick users into installing a fake Google security tool from the domain google-prism.com. Under the Execution tactic, the analysis identified User Execution: Malicious Link (T1204.001) with high confidence (90%), supported by evidence indicating social engineering to trick users into installing a fake Google security tool and User Execution: Malicious File (T1204.002) with moderate to high confidence (85%), supported by evidence indicating delivers a malicious Android APK disguised as a critical Google security update. Under the Persistence tactic, the analysis identified Browser Extensions (T1176) with moderate to high confidence (80%), supported by evidence indicating malicious Progressive Web App (PWA) capable of stealing one-time passcodes, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (75%), supported by evidence indicating sets a boot receiver, and schedules alarms to restart if terminated, and Boot or Logon Autostart Execution: Shortcut Modification (T1547.009) with moderate to high confidence (70%), supported by evidence indicating push notifications to prompt users to reopen the app. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate to high confidence (70%), supported by evidence indicating registers as a device administrator to evade removal and Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003) with moderate confidence (60%), supported by evidence indicating requests 33 high-risk permissions including accessibility services. Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with high confidence (90%), supported by evidence indicating fake Google security tool from the domain google-prism.com, Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (85%), supported by evidence indicating mimics a legitimate Google security page, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating malware registers as a device administrator to evade removal. Under the Credential Access tactic, the analysis identified Adversary-in-the-Middle: Web Session Cookie (T1557.003) with moderate to high confidence (80%), supported by evidence indicating abuses the WebOTP API to intercept SMS-based verification codes, Multi-Factor Authentication Interception (T1111) with moderate to high confidence (85%), supported by evidence indicating stealing one-time passcodes (OTPs), Input Capture: Keylogging (T1056.001) with moderate to high confidence (80%), supported by evidence indicating includes a custom keyboard for keylogging, and Clipboard Data (T1115) with high confidence (90%), supported by evidence indicating harvesting cryptocurrency wallet addresses via clipboard access. Under the Discovery tactic, the analysis identified Account Discovery: Local Account (T1087.001) with moderate to high confidence (70%), supported by evidence indicating exfiltrate contacts, System Network Configuration Discovery (T1016) with moderate to high confidence (80%), supported by evidence indicating functioning as a network proxy and internal port scanner, and System Location Discovery (T1614) with moderate to high confidence (85%), supported by evidence indicating exfiltrate real-time GPS data. Under the Collection tactic, the analysis identified Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating checks for new commands every 30 seconds via an /api/heartbeat endpoint, Video Capture (T1125) with moderate confidence (60%), supported by evidence indicating requests microphone access, and Data from Information Repositories (T1213) with moderate to high confidence (70%), supported by evidence indicating exfiltrate contacts, clipboard contents. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating webSocket relay enables attackers to send HTTP requests through the victim’s browser and Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating delivers a malicious Android APK disguised as a Google security update. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrate contacts, real-time GPS data, and clipboard contents and Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (75%), supported by evidence indicating webSocket relay masks attacker activity as originating from the compromised device. Under the Impact tactic, the analysis identified Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate confidence (60%), supported by evidence indicating turning victims’ browsers into proxies for attacker traffic and Data from Cloud Storage (T1530) with moderate to high confidence (70%), supported by evidence indicating harvesting cryptocurrency wallet addresses. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.