The infographic from Securelist claims that the following scenario would be plausible:
- Infected system calls “decoy” satellite subscriber.
- The Satellite broadcasts the call over the whole area which it is able to cover.
3a. The “decoy” system drops the invalid request, claiming that it does not have such an port and service to answer the call of the satellite.
3b . The C&C pretending to be the “decoy” user accepts the call
- The C&C answers via the landline while hiding itself as a “decoy” system.
- The malware on the infected hosts upload harvested data to the command and control server.