| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.003 |
Mail Protocols |
NightClub can use emails for C2 communications. |
| enterprise |
T1071.004 |
DNS |
NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request. |
| enterprise |
T1010 |
Application Window Discovery |
NightClub can use GetForegroundWindow to enumerate the active window. |
| enterprise |
T1123 |
Audio Capture |
NightClub can load a module to leverage the LAME encoder and mciSendStringW to control and capture audio. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
NightClub has created a Windows service named WmdmPmSp to establish persistence. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.002 |
Non-Standard Encoding |
NightClub has used a non-standard encoding in DNS tunneling removing any = from the result of base64 encoding, and replacing / characters with -s and + characters with -p. |
| enterprise |
T1005 |
Data from Local System |
NightClub can use a file monitor to steal specific files from targeted systems. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
NightClub has copied captured files and keystrokes to the %TEMP% directory of compromised hosts. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
NightClub can use SMTP and DNS for file exfiltration and C2. |
| enterprise |
T1083 |
File and Directory Discovery |
NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.006 |
Timestomp |
NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll. |
| enterprise |
T1105 |
Ingress Tool Transfer |
NightClub can load multiple additional plugins on an infected host. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
NightClub can use a plugin for keylogging. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
NightClub has created a service named WmdmPmSp to spoof a Windows Media service. |
| enterprise |
T1036.005 |
Match Legitimate Resource Name or Location |
NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper. |
| enterprise |
T1112 |
Modify Registry |
NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence. |
|
|
|
|
| enterprise |
T1106 |
Native API |
NightClub can use multiple native APIs including GetKeyState, GetForegroundWindow, GetWindowThreadProcessId, and GetKeyboardLayout. |
| enterprise |
T1027 |
Obfuscated Files or Information |
NightClub can obfuscate strings using the congruential generator (LCG): staten+1 = (690069 × staten + 1) mod 232. |
|
|
|
|
| enterprise |
T1120 |
Peripheral Device Discovery |
NightClub has the ability to monitor removable drives. |
| enterprise |
T1057 |
Process Discovery |
NightClub has the ability to use GetWindowThreadProcessId to identify the process behind a specified window. |
| enterprise |
T1113 |
Screen Capture |
NightClub can load a module to call CreateCompatibleDC and GdipSaveImageToStream for screen capture. |