CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)

CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Out of Band Data - T1644 (ec4c4baa-026f-43e8-8f56-58c36f3162dd)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	Asymmetric Cryptography - T1521.002 (16d73b64-5681-4ea0-9af4-4ad86f7c96e8)	Attack Pattern	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	1
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
CarbonSteal - S0529 (007ebf84-4e14-44c7-a5aa-151d5de85320)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Asymmetric Cryptography - T1521.002 (16d73b64-5681-4ea0-9af4-4ad86f7c96e8)	Attack Pattern	Encrypted Channel - T1521 (ed2c05a1-4f81-4d97-9e1b-aff01c34ae84)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	2