{"description": "Mobile techniques used by CherryBlos, ATT&CK software S1225 (v1.0)", "name": "CherryBlos (S1225)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "After accessibility permissions  are granted, [CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has communicated with the C2 server using HTTPS.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1646", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).(Citation: TrendMicro_CherryBlos_July2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1541", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has utilized foreground services by showing a notification to evade detection.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the \"Allow\" button when a system dialogue appears.(Citation: TrendMicro_CherryBlos_July2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1544", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has received configuration files from the C2 server.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has captured victims' credentials through predefined fake activities.(Citation: TrendMicro_CherryBlos_July2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has displayed masqueraded wallet applications if the EnabledUIMode field is set to `true`. [CherryBlos](https://attack.mitre.org/software/S1225) has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to `true`. The withdrawal transaction is ultimately transferred to the threat actor\u2019s controlled address.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "showSubtechniques": true}, {"techniqueID": "T1406.002", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has used a commercial packer named Jiagubao to evade static detection.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1660", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has been distributed through the threat actors\u2019 Telegram group, fake TikTok and Twitter accounts, and YouTube videos.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1424", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application has launched.(Citation: TrendMicro_CherryBlos_July2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[CherryBlos](https://attack.mitre.org/software/S1225) has obtained a list of installed cryptocurrency wallet applications.(Citation: TrendMicro_CherryBlos_July2023)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CherryBlos", "color": "#66b1ff"}]}