Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
During Night Dragon, the threat actors collected files and other data from compromised systems.[1] |
|
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.[1] |
| Enterprise | T1112 | 修改注册表 |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.[1] |
|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[1] |
|
| Enterprise | T1568 | 动态解析 |
During Night Dragon, threat actors used dynamic DNS services for C2.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[1] |
| Enterprise | T1008 | 回退信道 |
During Night Dragon, threat actors used company extranet servers as secondary C2 servers.[1] |
|
| Enterprise | T1584 | .004 | 基础设施妥协: Server |
During Night Dragon, threat actors compromised web servers to use for C2.[1] |
| Enterprise | T1133 | 外部远程服务 |
During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
During Night Dragon, threat actors used HTTP for C2.[1] |
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
During Night Dragon, threat actors dumped account hashes using gsecdump.[1] |
| Enterprise | T1074 | .002 | 数据分段: Remote Data Staging |
During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[1] |
| Enterprise | T1083 | 文件和目录发现 |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.[1] |
|
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[1] |
| Enterprise | T1110 | .002 | 暴力破解: Password Cracking |
During Night Dragon, threat actors used Cain & Abel to crack password hashes.[1] |
| Enterprise | T1078 | 有效账户 |
During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
|
| .002 | Domain Accounts |
During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[1] |
||
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
During Night Dragon, threat actors used software packing in its tools.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[1] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[1] |
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[1] |
| Enterprise | T1033 | 系统所有者/用户发现 |
During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[1] |
|
| Enterprise | T1583 | .004 | 获取基础设施: Server |
During Night Dragon, threat actors purchased hosted services to use for C2.[1] |
| Enterprise | T1588 | .001 | 获取能力: Malware |
During Night Dragon, threat actors used Trojans from underground hacker websites.[1] |
| .002 | 获取能力: Tool |
During Night Dragon, threat actors obtained and used tools such as gsecdump.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[1] |
|
| Enterprise | T1219 | 远程访问软件 |
During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.[1] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S0073 | ASPXSpy |
During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.[1] |
| S0110 | at |
During Night Dragon, threat actors used at to execute droppers.[1] |
| S0008 | gsecdump |
During Night Dragon, threat actors used gsecdump to dump account hashes.[1] |
| S0029 | PsExec |
During Night Dragon, threat actors used PsExec to remotely execute droppers.[1] |
| S0350 | zwShell |
During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1] |