S1026 Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.1
| Item | Value |
|---|---|
| ID | S1026 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 July 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Mongall can use HTTP for C2 communication.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Mongall can establish persistence with the auto start function including using the value EverNoteTrayUService.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Mongall can use Base64 to encode information sent to its C2.1 |
| enterprise | T1005 | Data from Local System | Mongall has the ability to upload files from victim’s machines.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Mongall has the ability to decrypt its payload prior to execution.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Mongall has the ability to RC4 encrypt C2 communications.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Mongall can upload files and information from a compromised host to its C2 server.1 |
| enterprise | T1105 | Ingress Tool Transfer | Mongall can download files to targeted systems.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Mongall has been packed with Themida.1 |
| enterprise | T1120 | Peripheral Device Discovery | Mongall can identify removable media attached to compromised hosts.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Mongall can inject a DLL into rundll32.exe for execution.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Mongall can use rundll32.exe for execution.1 |
| enterprise | T1082 | System Information Discovery | Mongall can identify drives on compromised hosts and retrieve the hostname via gethostbyname.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Mongall has relied on a user opening a malicious document for execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1007 | Aoqin Dragon | 1 |