CHEMISTGAMES

CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]

ID: S0555
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 31 December 2020
Last Modified: 25 March 2021

Techniques Used

Domain ID Name Use
Mobile T1605 Command-Line Interface

CHEMISTGAMES can run bash commands.[1]

Mobile T1533 Data from Local System

CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

CHEMISTGAMES has been distributed via the Google Play Store.[1]

Mobile T1407 Download New Code at Runtime

CHEMISTGAMES can download new modules while running.[1]

Mobile T1430 Location Tracking

CHEMISTGAMES has collected the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

CHEMISTGAMES has masqueraded as popular South Korean applications.[1]

Mobile T1575 Native Code

CHEMISTGAMES has utilized native code to decrypt its malicious payload.[1]

Mobile T1406 Obfuscated Files or Information

CHEMISTGAMES has encrypted its DEX payload.[1]

Mobile T1437 Standard Application Layer Protocol

CHEMISTGAMES has used HTTPS for C2 communication.[1]

Mobile T1521 Standard Cryptographic Protocol

CHEMISTGAMES has used HTTPS for C2 communication.[1]

Mobile T1474 Supply Chain Compromise

CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[1]

Mobile T1426 System Information Discovery

CHEMISTGAMES has fingerprinted devices to uniquely identify them.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[1]

References