Night Dragon
Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Night Dragon has used HTTP for C2.[1] |
| Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
Night Dragon has copied files to company web servers and subsequently downloaded them.[1] |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Night Dragon used privately developed and customized remote access tools.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application |
Night Dragon has performed SQL injection attacks of extranet web servers to gain access.[1] |
|
| Enterprise | T1133 | External Remote Services |
Night Dragon has used compromised VPN accounts to gain access to victim systems.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[1] |
| Enterprise | T1027 | Obfuscated Files or Information |
A Night Dragon DLL included an XOR-encoded section.[1] |
|
| .002 | Software Packing |
Night Dragon is known to use software packing in its tools.[1] |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Night Dragon has obtained and used tools such as gsecdump.[1] |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1] |
| Enterprise | T1219 | Remote Access Software |
Night Dragon has used several remote administration tools as persistent infiltration channels.[1] |
|
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Night Dragon used pass-the-hash tools to gain usernames and passwords.[1] |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Night Dragon enticed users to click on links in spearphishing emails to download malware.[1] |
| Enterprise | T1078 | Valid Accounts |
Night Dragon has used compromised VPN accounts to gain access to victim systems.[1] |
|