ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1510

术语表: /attack/glossary

剪贴板修改

攻击者可能滥用剪贴板功能来拦截和替换Android设备剪贴板中的信息。恶意应用程序可能会通过ClipboardManager.OnPrimaryClipChangedListenerAndroid上的界面监视剪贴板活动,以确定剪贴板内容何时已更改。听剪贴板活动,阅读剪贴板内容以及修改剪贴板内容不需要明确的应用程序权限,并且可以由在后台运行的应用程序执行,但是,随着Android 10的发布,这种行为已经发生了变化。

攻击者可以在粘贴之前使用剪贴板修改来替换文本,例如,将复制的比特币钱包地址替换为受对手控制的钱包地址。

已在Android/Clipper.C木马中看到剪贴板修改。ESET在通过Google Play商店分发的针对加密货币钱包号码的应用程序中检测到了该样本。

Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard. Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.

Adversaries may use Clipboard Modification to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

Clipboard Modification had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.

标签

ID编号: T1510

战术类型: 事后访问设备

策略: 影响

平台: Android

缓解措施

缓解 描述
应用审查(M1005) 可以对应用程序对剪贴板管理器API的使用进行审查,并对使用它们的应用程序进行额外的审查。
使用最新的操作系统版本(M1006) Android 10会阻止应用程序访问剪贴板数据,除非该应用程序位于前台或被设置为设备的默认输入法编辑器(IME)
Mitigation Description
Application Vetting(M1005) Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.
Use Recent OS Version(M1006) Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).

检测

修改剪贴板内容可能很难检测到,因此可以更好地为企业提供服务,着重于对抗行为的其他阶段进行检测

Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.