Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Mongall has the ability to upload files from victim's machines.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Mongall has the ability to RC4 encrypt C2 communications.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Mongall has the ability to decrypt its payload prior to execution.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Mongall can establish persistence with the auto start function including using the value |
| Enterprise | T1120 | 外围设备发现 |
Mongall can identify removable media attached to compromised hosts.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Mongall can use Base64 to encode information sent to its C2.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Mongall has relied on a user opening a malicious document for execution.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1082 | 系统信息发现 |
Mongall can identify drives on compromised hosts and retrieve the hostname via |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Mongall can inject a DLL into |
| Enterprise | T1041 | 通过C2信道渗出 |
Mongall can upload files and information from a compromised host to its C2 server.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1007 | Aoqin Dragon |