NDiskMonitor

NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]

ID: S0272
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1083File and Directory DiscoveryNDiskMonitor can obtain a list of all files and directories as well as logical drives.[1]
EnterpriseT1105Remote File CopyNDiskMonitor can download and execute a file from given URL.[1]
EnterpriseT1032Standard Cryptographic ProtocolNDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[1]
EnterpriseT1082System Information DiscoveryNDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[1]
EnterpriseT1033System Owner/User DiscoveryNDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[1]

Groups

Groups that use this software:

Patchwork

References