Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
Ninja can proxy C2 communications including to and from internal agents without internet connectivity.[1][2] |
| .003 | 代理: Multi-hop Proxy |
Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.[1] |
||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.[2] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Ninja can create the services |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
The Ninja loader component can decrypt and decompress the payload.[1][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1480 | .001 | 执行保护: Environmental Keying |
Ninja can store its final payload in the Registry under |
| Enterprise | T1001 | 数据混淆 |
Ninja has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests.[1] |
|
| .003 | Protocol or Service Impersonation |
Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.[1] |
||
| Enterprise | T1132 | .002 | 数据编码: Non-Standard Encoding |
Ninja can encode C2 communications with a base64 algorithm using a custom alphabet.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1106 | 本机API |
The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.[1][2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
The Ninja payload is XOR encrypted and compressed.[2] Ninja has also XORed its configuration data with a constant value of |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Ninja has gained execution through victims opening malicious executable files embedded in zip archives.[1] |
| Enterprise | T1070 | .006 | 移除指标: Timestomp |
Ninja can change or create the last access or write times.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Ninja loader components can be executed through rundll32.exe.[2] |
| Enterprise | T1082 | 系统信息发现 |
Ninja can obtain the computer name and information on the OS and physical drives from targeted hosts.[1][2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Ninja can enumerate the IP address on compromised systems.[1] |
|
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | 进程注入 |
Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes.[1][2] |
|
| Enterprise | T1559 | 进程间通信 |
Ninja can use pipes to redirect the standard input and the standard output.[1] |
|
| Enterprise | T1566 | .003 | 钓鱼: Spearphishing via Service |
Ninja has been distributed to victims via the messaging app Telegram.[1] |
| Enterprise | T1095 | 非应用层协议 |
Ninja can forward TCP packets between the C2 and a remote host.[1][2] |
|
| Enterprise | T1029 | 预定传输 |
Ninja can configure its agent to work only in specific time frames.[1] |
|