Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]

ID: G0014
Version: 1.1

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1307 Acquire and/or use 3rd party infrastructure services Night Dragon used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.[1]
PRE-ATT&CK T1330 Acquire and/or use 3rd party software services Night Dragon used third party hosting services in the U.S. in an attempt to hide their operations.[1]
PRE-ATT&CK T1351 Remote access tool development Night Dragon used privately developed and customized remote access tools.[1]
Enterprise T1043 Commonly Used Port Night Dragon has used ports 25 and 80 for C2 communications.[1]
Enterprise T1003 Credential Dumping Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1]
Enterprise T1074 Data Staged Night Dragon has copied files to company web servers and subsequently downloaded them.[1]
Enterprise T1089 Disabling Security Tools Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[[1]
Enterprise T1190 Exploit Public-Facing Application Night Dragon has performed SQL injection attacks of extranet web servers to gain access.[1]
Enterprise T1133 External Remote Services Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]
Enterprise T1027 Obfuscated Files or Information A Night Dragon DLL included an XOR-encoded section.[1]
Enterprise T1075 Pass the Hash Night Dragon used pass-the-hash tools to gain usernames and passwords.[1]
Enterprise T1219 Remote Access Tools Night Dragon has used several remote administration tools as persistent infiltration channels.[1]
Enterprise T1045 Software Packing Night Dragon is known to use software packing in its tools.[1]
Enterprise T1192 Spearphishing Link Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]
Enterprise T1071 Standard Application Layer Protocol Night Dragon has used HTTP for C2.[1]
Enterprise T1204 User Execution Night Dragon enticed users to click on links in spearphishing emails to download malware.[1]
Enterprise T1078 Valid Accounts Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]


ID Name References Techniques
S0073 ASPXSpy [1] Web Shell
S0110 at [1] Scheduled Task
S0008 gsecdump [1] Credential Dumping
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0350 zwShell [1] Command-Line Interface, File and Directory Discovery, File Deletion, Modify Registry, New Service, Remote Desktop Protocol, Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Admin Shares