SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Ngrok
Ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3]
ID: S0508
Type: MALWARE
Platforms: Windows
Contributors: Janantha Marasinghe
Version: 1.0
Created: 15 September 2020
Last Modified: 29 September 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1] |
| Enterprise | T1567 | Exfiltration Over Web Service |
Ngrok has been used by threat actors to configure servers for data exfiltration.[4] |
|
| Enterprise | T1572 | Protocol Tunneling |
Ngrok can tunnel RDP and other services securely over internet connections.[2][3][4][5] |
|
| Enterprise | T1090 | Proxy |
Ngrok can be used to proxy connections to machines located behind NAT or firewalls.[4][1] |
|
| Enterprise | T1102 | Web Service |
Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1] |
|
References
- Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.
×