1. Home
  2. Groups
  3. APT-C-23

APT-C-23

APT-C-23 is a threat group that has been active since at least 2014.[1] APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.[2]

ID: G1028
Associated Groups: Mantis, Arid Viper, Desert Falcon, TAG-63, Grey Karkadann, Big Bang APT, Two-tailed Scorpion
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 26 March 2024
Last Modified: 17 November 2024

Associated Group Descriptions

Name Description
Mantis

[1][3]
Arid Viper

[2][3][4]
Desert Falcon

[2][3][4]
Grey Karkadann

[3]
Big Bang APT

[5]

Two-tailed Scorpion

[2]
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

APT-C-23 has masqueraded malware as legitimate applications.[2][6][7]
Mobile T1660 Phishing

APT-C-23 sends malicious links to victims to download the masqueraded application.[7][6]

Mobile T1422 System Network Configuration Discovery

APT-C-23 can collect the victim’s phone number, device information, IMSI, etc.[6]

Software

ID Name References Techniques
S0505 Desert Scorpion Archive Collected Data, Audio Capture, Data from Local System, Download New Code at Runtime, File and Directory Discovery, Hide Artifacts: Suppress Application Icon, Indicator Removal on Host: File Deletion, Location Tracking, Out of Band Data, Protected User Data: SMS Messages, Protected User Data: Contact List, SMS Control, Software Discovery, Stored Application Data, Subvert Trust Controls: Code Signing Policy Modification, System Information Discovery, Video Capture
S0577 FrozenCell Archive Collected Data, Audio Capture, Data from Local System, Download New Code at Runtime, File and Directory Discovery, Location Tracking, Masquerading: Match Legitimate Name or Location, Protected User Data: SMS Messages, Stored Application Data, System Information Discovery, System Network Configuration Discovery
S0339 Micropsia Windows管理规范, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 系统信息发现, 系统所有者/用户发现, 自动化收集, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 隐藏伪装: Hidden Files and Directories, 音频捕获
S1126 Phenakite [3][4] Audio Capture, Data from Local System, Exploitation for Privilege Escalation, Ingress Tool Transfer, Input Capture, Masquerading: Match Legitimate Name or Location, Protected User Data: SMS Messages, Protected User Data: Contact List, System Information Discovery, Video Capture
S1195 SpyC23 [2][4][6][7] Access Notifications, Application Layer Protocol: Web Protocols, Audio Capture, Call Control, Data from Local System, Event Triggered Execution: Broadcast Receivers, Hide Artifacts: User Evasion, Hide Artifacts: Suppress Application Icon, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Location Tracking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Out of Band Data, Protected User Data: Contact List, Protected User Data, Protected User Data: SMS Messages, Screen Capture, SMS Control, Video Capture, Virtualization/Sandbox Evasion

References

  1. Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.
  2. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  3. Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.
  4. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.
  1. Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.
  2. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.
  3. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.