SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23)

There are multiple close variants of SpyC23, such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9)	Attack Pattern	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
Out of Band Data - T1644 (ec4c4baa-026f-43e8-8f56-58c36f3162dd)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
SpyC23 - S1195 (95811c0a-abe0-4e7f-a0cc-b0662ced5807)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	2
Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14)	Attack Pattern	Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2