TECHNIQUES
- Home
- Techniques
- Mobile
- Uncommonly Used Port
Uncommonly Used Port
Adversaries may use non-standard ports to exfiltrate information.
ID: T1509
Sub-techniques:
No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic:
Command And Control
Platforms: Android, iOS
Version: 1.0
Created: 01 August 2019
Last Modified: 11 September 2019
Procedure Examples
Name | Description |
---|---|
Cerberus | |
Exodus |
Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[2] |
FlexiSpy |
FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[3] |
INSOMNIA |
INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[4] |
Mandrake |
Mandrake has communicated with the C2 server over TCP port 7777.[5] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. |
Detection
Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.
References
- A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
- Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
- K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
- A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
×