NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.[1] |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | NGLite will use an AES encrypted channel for command and control purposes, in one case using the key |
| Enterprise | T1090 | .003 | Proxy:Multi-hop Proxy | NGLite has abused NKN infrastructure for its C2 communication.[1] |
| Enterprise | T1016 | System Network Configuration Discovery | NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.[1] | |
| Enterprise | T1033 | System Owner/User Discovery | NGLite will run the | |