1. Home
  2. Software
  3. ngrok

ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3][4]

ID: S0508
Type: TOOL
Platforms: Windows
Contributors: Janantha Marasinghe
Version: 1.2
Created: 14 September 2023
Last Modified: 25 September 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1]
Enterprise T1567 Exfiltration Over Web Service

ngrok has been used by threat actors to configure servers for data exfiltration.[5]
Enterprise T1572 Protocol Tunneling

ngrok can tunnel RDP and other services securely over internet connections.[2][3][5][6]
Enterprise T1090 Proxy

ngrok can be used to proxy connections to machines located behind NAT or firewalls.[5][1]
Enterprise T1102 Web Service

ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear used ngrok during intrusions against Ukrainian victims.[7]
G1015 Scattered Spider

Scattered Spider has used ngrok to create secure tunnels to remote web servers.[8]
G0140 LazyScripter

[4]
G0117 Fox Kitten

[9]

References

  1. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
  2. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  3. Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.
  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  5. Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.
  1. Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020.
  2. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  3. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  4. Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.