Skip to content

S0508 Ngrok

Ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.1423

Item Value
ID S0508
Associated Names
Type MALWARE
Version 1.1
Created 15 September 2020
Last Modified 13 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.1
enterprise T1567 Exfiltration Over Web Service Ngrok has been used by threat actors to configure servers for data exfiltration.5
enterprise T1572 Protocol Tunneling Ngrok can tunnel RDP and other services securely over internet connections.4256
enterprise T1090 Proxy Ngrok can be used to proxy connections to machines located behind NAT or firewalls.51
enterprise T1102 Web Service Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.1

Groups That Use This Software

ID Name References
G0117 Fox Kitten 7
G0140 LazyScripter 3

References