Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .004 | Acquire Infrastructure: Server |
During Night Dragon, threat actors purchased hosted services to use for C2.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During Night Dragon, threat actors used HTTP for C2.[1] |
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
During Night Dragon, threat actors used Cain & Abel to crack password hashes.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[1] |
| Enterprise | T1584 | .004 | Compromise Infrastructure: Server |
During Night Dragon, threat actors compromised web servers to use for C2.[1] |
| Enterprise | T1005 | Data from Local System |
During Night Dragon, the threat actors collected files and other data from compromised systems.[1] |
|
| Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[1] |
| Enterprise | T1568 | Dynamic Resolution |
During Night Dragon, threat actors used dynamic DNS services for C2.[1] |
|
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application |
During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[1] |
|
| Enterprise | T1133 | External Remote Services |
During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
|
| Enterprise | T1008 | Fallback Channels |
During Night Dragon, threat actors used company extranet servers as secondary C2 servers.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[1] |
|
| Enterprise | T1112 | Modify Registry |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.[1] |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
During Night Dragon, threat actors used software packing in its tools.[1] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[1] |
||
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
During Night Dragon, threat actors used Trojans from underground hacker websites.[1] |
| .002 | Obtain Capabilities: Tool |
During Night Dragon, threat actors obtained and used tools such as gsecdump.[1] |
||
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
During Night Dragon, threat actors dumped account hashes using gsecdump.[1] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[1] |
| Enterprise | T1219 | Remote Access Software |
During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.[1] |
|
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[1] |
| Enterprise | T1033 | System Owner/User Discovery |
During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[1] |
|
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.[1] |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[1] |
| Enterprise | T1078 | Valid Accounts |
During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
|
| .002 | Domain Accounts |
During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[1] |
||
Software
| ID | Name | Description |
|---|---|---|
| S0073 | ASPXSpy |
During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.[1] |
| S0110 | at |
During Night Dragon, threat actors used at to execute droppers.[1] |
| S0008 | gsecdump |
During Night Dragon, threat actors used gsecdump to dump account hashes.[1] |
| S0029 | PsExec |
During Night Dragon, threat actors used PsExec to remotely execute droppers.[1] |
| S0350 | zwShell |
During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1] |