- Home
- Techniques
- Mobile
- Remote File Copy
Remote File Copy
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device.
Procedure Examples
Name | Description |
---|---|
Desert Scorpion |
Desert Scorpion can upload attacker-specified files to the C2 server.[1] |
Mandrake |
Mandrake can install attacker-specified components or applications.[2] |
Monokle | |
ViceLeaker |
ViceLeaker can download attacker-specified files.[4] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Applications with network connections to unknown domains or IP addresses could be further scrutinized to detect unauthorized file copying. Further, some application vetting services may indicate precisely what content was requested during application execution. |
Detection
Downloading remote files is common application behavior and is therefore typically undetectable to the end user.
References
- A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.