Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]

ID: G0014
Version: 1.2
Created: 31 May 2017
Last Modified: 25 March 2020

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1307 Acquire and/or use 3rd party infrastructure services

Night Dragon used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.[1]

PRE-ATT&CK T1330 Acquire and/or use 3rd party software services

Night Dragon used third party hosting services in the U.S. in an attempt to hide their operations.[1]

PRE-ATT&CK T1351 Remote access tool development

Night Dragon used privately developed and customized remote access tools.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Night Dragon has used HTTP for C2.[1]

Enterprise T1074 .002 Data Staged: Remote Data Staging

Night Dragon has copied files to company web servers and subsequently downloaded them.[1]

Enterprise T1190 Exploit Public-Facing Application

Night Dragon has performed SQL injection attacks of extranet web servers to gain access.[1]

Enterprise T1133 External Remote Services

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[[1]

Enterprise T1027 Obfuscated Files or Information

A Night Dragon DLL included an XOR-encoded section.[1]

.002 Software Packing

Night Dragon is known to use software packing in its tools.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]

Enterprise T1219 Remote Access Software

Night Dragon has used several remote administration tools as persistent infiltration channels.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Night Dragon used pass-the-hash tools to gain usernames and passwords.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Night Dragon enticed users to click on links in spearphishing emails to download malware.[1]

Enterprise T1078 Valid Accounts

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]

Software

ID Name References Techniques
S0073 ASPXSpy

[1]

Server Software Component: Web Shell
S0110 at

[1]

Scheduled Task/Job: At (Windows)
S0008 gsecdump

[1]

OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0029 PsExec

[1]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0350 zwShell

[1]

Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Indicator Removal on Host: File Deletion, Modify Registry, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery

References