Nightdoor
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1574 | 劫持执行流 |
Nightdoor uses a legitimate executable to load a malicious DLL file for installation.[2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Nightdoor stores network configuration data in a file XOR encoded with the key value of |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Nightdoor creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.[2] |
| Enterprise | T1071 | 应用层协议 |
Nightdoor uses TCP and UDP communication for command and control traffic.[1][2] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers. Nightdoor can also collect information about disk drives, their total and free space, and file system type.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Nightdoor gathers information on victim system users and usernames.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
Nightdoor can identify the system local time information.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Nightdoor gathers information on victim system network configuration such as MAC addresses.[1] |
|
| Enterprise | T1102 | 网络服务 |
Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.[1][2] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Nightdoor embeds code from the public |
| Enterprise | T1057 | 进程发现 |
Nightdoor can collect information on installed applications via Windows registry keys, as well as collecting information on running processes.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Nightdoor uses scheduled tasks for persistence to load the final malware payload into memory.[2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1034 | Daggerfly |
Daggerfly uses Nightdoor as a backdoor mechanism for Windows hosts.[1][2] |