ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3][4]

ID: S0508
Type: TOOL
Platforms: Windows
Contributors: Janantha Marasinghe
Version: 1.2
Created: 14 September 2023
Last Modified: 25 September 2023

Techniques Used

Domain ID Name Use
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1]

Enterprise T1567 Exfiltration Over Web Service

ngrok has been used by threat actors to configure servers for data exfiltration.[5]

Enterprise T1572 Protocol Tunneling

ngrok can tunnel RDP and other services securely over internet connections.[2][3][5][6]

Enterprise T1090 Proxy

ngrok can be used to proxy connections to machines located behind NAT or firewalls.[5][1]

Enterprise T1102 Web Service

ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear used ngrok during intrusions against Ukrainian victims.[7]

G1015 Scattered Spider

Scattered Spider has used ngrok to create secure tunnels to remote web servers.[8]

G0140 LazyScripter

[4]

G0117 Fox Kitten

[9]

References