Skip to content

S0508 Ngrok

Ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.1423

Item Value
ID S0508
Associated Names
Type MALWARE
Version 1.1
Created 15 September 2020
Last Modified 13 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.1
enterprise T1567 Exfiltration Over Web Service Ngrok has been used by threat actors to configure servers for data exfiltration.5
enterprise T1572 Protocol Tunneling Ngrok can tunnel RDP and other services securely over internet connections.4256
enterprise T1090 Proxy Ngrok can be used to proxy connections to machines located behind NAT or firewalls.51
enterprise T1102 Web Service Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.1

Groups That Use This Software

ID Name References
G0117 Fox Kitten 7
G0140 LazyScripter 3

References

  1. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020. 

  2. Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020. 

  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  4. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. 

  5. Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020. 

  6. Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020. 

  7. Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.