SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

GolfSpy

GolfSpy is Android spyware deployed by the group Bouncing Golf.^[1]

ID: S0421

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 27 January 2020

Last Modified: 26 March 2020

Techniques Used

Domain	ID		Name	Use
Mobile	T1433		Access Call Log	GolfSpy can obtain the device’s call log.^[1]
Mobile	T1432		Access Contact List	GolfSpy can obtain the device’s contact list.^[1]
Mobile	T1418		Application Discovery	GolfSpy can obtain a list of installed applications.^[1]
Mobile	T1402		Broadcast Receivers	GolfSpy registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.^[1]
Mobile	T1429		Capture Audio	GolfSpy can record audio and phone calls.^[1]
Mobile	T1512		Capture Camera	GolfSpy can record video.^[1]
Mobile	T1414		Capture Clipboard Data	GolfSpy can obtain clipboard contents.^[1]
Mobile	T1412		Capture SMS Messages	GolfSpy can collect SMS messages.^[1]
Mobile	T1532		Data Encrypted	GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.^[1]
Mobile	T1533		Data from Local System	GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.^[1]
Mobile	T1447		Delete Device Data	GolfSpy can delete arbitrary files on the device.^[1]
Mobile	T1476		Deliver Malicious App via Other Means	GolfSpy can install attacker-specified applications.^[1]
Mobile	T1430		Location Tracking	GolfSpy can track the device’s location.^[1]
Mobile	T1406		Obfuscated Files or Information	GolfSpy encodes its configurations using a customized algorithm.^[1]
Mobile	T1424		Process Discovery	GolfSpy can obtain a list of running processes.^[1]
Mobile	T1513		Screen Capture	GolfSpy can take screenshots.^[1]
Mobile	T1437		Standard Application Layer Protocol	GolfSpy exfiltrates data using HTTP POST requests.^[1]
Mobile	T1426		System Information Discovery	GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.^[1]

Groups That Use This Software

ID	Name	References
G0097	Bouncing Golf	^[1]

References

E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.