1. Home
  2. Techniques
  3. Mobile
  4. Uncommonly Used Port

Uncommonly Used Port

Adversaries may use non-standard ports to exfiltrate information.

ID: T1509
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 1.0
Created: 01 August 2019
Last Modified: 11 September 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0480 Cerberus

Cerberus communicates with the C2 over port 8888.[1]
S0405 Exodus

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[2]
S0408 FlexiSpy

FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[3]
S0463 INSOMNIA

INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[4]
S0485 Mandrake

Mandrake has communicated with the C2 server over TCP port 7777.[5]
S0539 Red Alert 2.0

Red Alert 2.0 has communicated with the C2 over port 7878.[6]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs.

Detection

Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.

References

  1. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
  2. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  3. K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
  1. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
  2. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  3. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.