SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Ngrok
ID: S0508
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Contributors: Janantha Marasinghe
Version: 1.0
Created: 15 September 2020
Last Modified: 29 September 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1] |
| Enterprise | T1567 | Exfiltration Over Web Service |
Ngrok has been used by threat actors to configure servers for data exfiltration.[4] |
|
| Enterprise | T1572 | Protocol Tunneling |
Ngrok can tunnel RDP and other services securely over internet connections.[2][3][4][5] |
|
| Enterprise | T1090 | Proxy |
Ngrok can be used to proxy connections to machines located behind NAT or firewalls.[4][1] |
|
| Enterprise | T1102 | Web Service |
Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0117 | Fox Kitten |
References
- Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.
- Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.
- Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020.
- Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.
×