Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]

ID: S1026
Platforms: Windows
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 25 July 2022
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mongall can use HTTP for C2 communication.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mongall can establish persistence with the auto start function including using the value EverNoteTrayUService.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Mongall can use Base64 to encode information sent to its C2.[1]

Enterprise T1005 Data from Local System

Mongall has the ability to upload files from victim's machines.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Mongall has the ability to decrypt its payload prior to execution.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mongall has the ability to RC4 encrypt C2 communications.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Mongall can upload files and information from a compromised host to its C2 server.[1]

Enterprise T1105 Ingress Tool Transfer

Mongall can download files to targeted systems.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Mongall has been packed with Themida.[1]

Enterprise T1120 Peripheral Device Discovery

Mongall can identify removable media attached to compromised hosts.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Mongall can inject a DLL into rundll32.exe for execution.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Mongall can use rundll32.exe for execution.[1]

Enterprise T1082 System Information Discovery

Mongall can identify drives on compromised hosts and retrieve the hostname via gethostbyname.[1]

Enterprise T1204 .002 User Execution: Malicious File

Mongall has relied on a user opening a malicious document for execution.[1]

Groups That Use This Software

ID Name References
G1007 Aoqin Dragon