Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]

ID: G0014
Version: 1.1

Techniques Used

DomainIDNameUse
PRE-ATT&CKT1307Acquire and/or use 3rd party infrastructure servicesNight Dragon used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.[1]
PRE-ATT&CKT1330Acquire and/or use 3rd party software servicesNight Dragon used third party hosting services in the U.S. in an attempt to hide their operations.[1]
PRE-ATT&CKT1351Remote access tool developmentNight Dragon used privately developed and customized remote access tools.[1]
EnterpriseT1043Commonly Used PortNight Dragon has used ports 25 and 80 for C2 communications.[1]
EnterpriseT1003Credential DumpingNight Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1]
EnterpriseT1074Data StagedNight Dragon has copied files to company web servers and subsequently downloaded them.[1]
EnterpriseT1089Disabling Security ToolsNight Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[[1]
EnterpriseT1190Exploit Public-Facing ApplicationNight Dragon has performed SQL injection attacks of extranet web servers to gain access.[1]
EnterpriseT1133External Remote ServicesNight Dragon has used compromised VPN accounts to gain access to victim systems.[1]
EnterpriseT1027Obfuscated Files or InformationA Night Dragon DLL included an XOR-encoded section.[1]
EnterpriseT1075Pass the HashNight Dragon used pass-the-hash tools to gain usernames and passwords.[1]
EnterpriseT1219Remote Access ToolsNight Dragon has used several remote administration tools as persistent infiltration channels.[1]
EnterpriseT1045Software PackingNight Dragon is known to use software packing in its tools.[1]
EnterpriseT1192Spearphishing LinkNight Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]
EnterpriseT1071Standard Application Layer ProtocolNight Dragon has used HTTP for C2.[1]
EnterpriseT1204User ExecutionNight Dragon enticed users to click on links in spearphishing emails to download malware.[1]
EnterpriseT1078Valid AccountsNight Dragon has used compromised VPN accounts to gain access to victim systems.[1]

Software

IDNameReferencesTechniques
S0073ASPXSpy[1]Web Shell
S0110at[1]Scheduled Task
S0008gsecdump[1]Credential Dumping
S0029PsExec[1]Service Execution, Windows Admin Shares
S0350zwShell[1]Command-Line Interface, File and Directory Discovery, File Deletion, Modify Registry, New Service, Remote Desktop Protocol, Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Admin Shares

References