Skip to content

S1026 Mongall

Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.1

Item Value
ID S1026
Associated Names
Version 1.0
Created 25 July 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mongall can use HTTP for C2 communication.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mongall can establish persistence with the auto start function including using the value EverNoteTrayUService.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Mongall can use Base64 to encode information sent to its C2.1
enterprise T1005 Data from Local System Mongall has the ability to upload files from victim’s machines.1
enterprise T1140 Deobfuscate/Decode Files or Information Mongall has the ability to decrypt its payload prior to execution.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mongall has the ability to RC4 encrypt C2 communications.1
enterprise T1041 Exfiltration Over C2 Channel Mongall can upload files and information from a compromised host to its C2 server.1
enterprise T1105 Ingress Tool Transfer Mongall can download files to targeted systems.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Mongall has been packed with Themida.1
enterprise T1120 Peripheral Device Discovery Mongall can identify removable media attached to compromised hosts.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Mongall can inject a DLL into rundll32.exe for execution.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Mongall can use rundll32.exe for execution.1
enterprise T1082 System Information Discovery Mongall can identify drives on compromised hosts and retrieve the hostname via gethostbyname.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Mongall has relied on a user opening a malicious document for execution.1

Groups That Use This Software

ID Name References
G1007 Aoqin Dragon 1