NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.[1] |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
NGLite will use an AES encrypted channel for command and control purposes, in one case using the key |
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
NGLite has abused NKN infrastructure for its C2 communication.[1] |
| Enterprise | T1016 | System Network Configuration Discovery |
NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
NGLite will run the |
|