Ngrok

Ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3]

ID: S0508
Type: MALWARE
Platforms: Windows
Contributors: Janantha Marasinghe
Version: 1.0
Created: 15 September 2020
Last Modified: 29 September 2020

Techniques Used

Domain ID Name Use
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1]

Enterprise T1567 Exfiltration Over Web Service

Ngrok has been used by threat actors to configure servers for data exfiltration.[4]

Enterprise T1572 Protocol Tunneling

Ngrok can tunnel RDP and other services securely over internet connections.[2][3][4][5]

Enterprise T1090 Proxy

Ngrok can be used to proxy connections to machines located behind NAT or firewalls.[4][1]

Enterprise T1102 Web Service

Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1]

References