Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Mongall can establish persistence with the auto start function including using the value |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Mongall can use Base64 to encode information sent to its C2.[1] |
| Enterprise | T1005 | Data from Local System |
Mongall has the ability to upload files from victim's machines.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Mongall has the ability to decrypt its payload prior to execution.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mongall has the ability to RC4 encrypt C2 communications.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Mongall can upload files and information from a compromised host to its C2 server.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | |
| Enterprise | T1120 | Peripheral Device Discovery |
Mongall can identify removable media attached to compromised hosts.[1] |
|
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Mongall can inject a DLL into |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
| Enterprise | T1082 | System Information Discovery |
Mongall can identify drives on compromised hosts and retrieve the hostname via |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Mongall has relied on a user opening a malicious document for execution.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1007 | Aoqin Dragon |