Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .004 | Acquire Infrastructure:Server | DuringNight Dragon, threat actors purchased hosted services to use for C2.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | DuringNight Dragon, threat actors used HTTP for C2.[1] |
| Enterprise | T1110 | .002 | Brute Force:Password Cracking | DuringNight Dragon, threat actors used Cain & Abel to crack password hashes.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | DuringNight Dragon, threat actors usedzwShell to establish full remote control of the connected machine and run command-line shells.[1] |
| Enterprise | T1584 | .004 | Compromise Infrastructure:Server | DuringNight Dragon, threat actors compromised web servers to use for C2.[1] |
| Enterprise | T1005 | Data from Local System | DuringNight Dragon, the threat actors collected files and other data from compromised systems.[1] | |
| Enterprise | T1074 | .002 | Data Staged:Remote Data Staging | DuringNight Dragon, threat actors copied files to company web servers and subsequently downloaded them.[1] |
| Enterprise | T1568 | Dynamic Resolution | DuringNight Dragon, threat actors used dynamic DNS services for C2.[1] | |
| Enterprise | T1114 | .001 | Email Collection:Local Email Collection | DuringNight Dragon, threat actors used RAT malware to exfiltrate email archives.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application | DuringNight Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[1] | |
| Enterprise | T1133 | External Remote Services | DuringNight Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] | |
| Enterprise | T1008 | Fallback Channels | DuringNight Dragon, threat actors used company extranet servers as secondary C2 servers.[1] | |
| Enterprise | T1083 | File and Directory Discovery | DuringNight Dragon, threat actors usedzwShell to establish full remote control of the connected machine and browse the victim file system.[1] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | DuringNight Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | DuringNight Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[1] | |
| Enterprise | T1112 | Modify Registry | DuringNight Dragon, threat actors usedzwShell to establish full remote control of the connected machine and manipulate the Registry.[1] | |
| Enterprise | T1027 | .002 | Obfuscated Files or Information:Software Packing | DuringNight Dragon, threat actors used software packing in its tools.[1] |
| .013 | Obfuscated Files or Information:Encrypted/Encoded File | DuringNight Dragon, threat actors used a DLL that included an XOR-encoded section.[1] | ||
| Enterprise | T1588 | .001 | Obtain Capabilities:Malware | DuringNight Dragon, threat actors used Trojans from underground hacker websites.[1] |
| .002 | Obtain Capabilities:Tool | DuringNight Dragon, threat actors obtained and used tools such asgsecdump.[1] | ||
| Enterprise | T1003 | .002 | OS Credential Dumping:Security Account Manager | DuringNight Dragon, threat actors dumped account hashes usinggsecdump.[1] |
| Enterprise | T1566 | .002 | Phishing:Spearphishing Link | DuringNight Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[1] |
| Enterprise | T1219 | Remote Access Tools | DuringNight Dragon, threat actors used several remote administration tools as persistent infiltration channels.[1] | |
| Enterprise | T1608 | .001 | Stage Capabilities:Upload Malware | DuringNight Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[1] |
| Enterprise | T1033 | System Owner/User Discovery | DuringNight Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[1] | |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material:Pass the Hash | DuringNight Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.[1] |
| Enterprise | T1204 | .001 | User Execution:Malicious Link | DuringNight Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[1] |
| Enterprise | T1078 | Valid Accounts | DuringNight Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] | |
| .002 | Domain Accounts | DuringNight Dragon, threat actors used domain accounts to gain further access to victim systems.[1] | ||
Software
| ID | Name | Description |
|---|---|---|
| S0073 | ASPXSpy | DuringNight Dragon, threat actors deployedASPXSpy on compromised web servers.[1] |
| S0110 | at | DuringNight Dragon, threat actors usedat to execute droppers.[1] |
| S0008 | gsecdump | DuringNight Dragon, threat actors usedgsecdump to dump account hashes.[1] |
| S0029 | PsExec | DuringNight Dragon, threat actors usedPsExec to remotely execute droppers.[1] |
| S0350 | zwShell | DuringNight Dragon, threat actors usedzwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1] |