INSOMNIA
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1433 | Access Call Log | ||
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1418 | Application Discovery |
INSOMNIA can obtain a list of installed non-Apple applications.[2] |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1540 | Code Injection |
INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.[2] |
|
| Mobile | T1533 | Data from Local System |
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.[2] |
|
| Mobile | T1456 | Drive-by Compromise |
INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.[1] |
|
| Mobile | T1404 | Exploit OS Vulnerability |
INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.[1] |
|
| Mobile | T1579 | Keychain | ||
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1406 | Obfuscated Files or Information |
INSOMNIA obfuscates various pieces of information within the application.[1] |
|
| Mobile | T1437 | Standard Application Layer Protocol |
INSOMNIA communicates with the C2 server using HTTPS requests.[1] |
|
| Mobile | T1426 | System Information Discovery |
INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.[2] |
|
| Mobile | T1422 | System Network Configuration Discovery |
INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).[2] |
|
| Mobile | T1509 | Uncommonly Used Port |
INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[1] |
|