S1106 NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.1
| Item | Value |
|---|---|
| ID | S1106 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 February 2024 |
| Last Modified | 19 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | NGLite will use an AES encrypted channel for command and control purposes, in one case using the key WHATswrongwithUu.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | NGLite has abused NKN infrastructure for its C2 communication.1 |
| enterprise | T1016 | System Network Configuration Discovery | NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.1 |
| enterprise | T1033 | System Owner/User Discovery | NGLite will run the whoami command to gather system information and return this to the command and control server.1 |