| ID | B0019 |
| Objective(s) | Impact |
| Related ATT&CK Techniques | Data Manipulation: Transmitted Data Manipulation (T1565.002) |
| Impact Type | Integrity |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 17 August 2023 |
Malware intercepts and manipulates network traffic, typically accessing or modifying data, going to or originating from the system on which the malware instance is executing. This is also known as a Man-in-the-Middle(MIM) attack. This manipulation is reflected by activities such as data theft (e.g., credential harvesting) and injection of unwanted ads into websites. The former can be accomplished through installation of a fraudulent certificate, enabling interception of encrypted or unencrypted data. Malicious code executed in a MIM attack has also been credited with strategic redirection of web traffic, manipulation of a victim’s browsing experience, and code injection [[1]] (#1).
The related Data Manipulation: Transmitted Data Manipulation (T1565.002) ATT&CK sub-technique was defined subsequent to this MBC behavior.
| Name | Date | Method | Description |
|---|---|---|---|
| SearchAwesome | 2018 | -- | SearchAwesome adware intercepts encrypted web traffic to inject ads. [2] |
| MazarBot | 2016 | -- | MazarBot intercepts data coming into and going out of the device. [3] |
[1] B. Feeley and B. Stone-Gross,"New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration," CrowdStrike, blog, 20 Mar. 2019. [Online]. Available: https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module.
[2] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[3] https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html