1. Home
  2. Software
  3. NGLite

NGLite

NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]

ID: S1106
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 February 2024
Last Modified: 19 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .003 代理: Multi-hop Proxy

NGLite has abused NKN infrastructure for its C2 communication.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

NGLite will use an AES encrypted channel for command and control purposes, in one case using the key WHATswrongwithUu.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.[1]
Enterprise T1033 系统所有者/用户发现

NGLite will run the whoami command to gather system information and return this to the command and control server.[1]
Enterprise T1016 系统网络配置发现

NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.[1]

References

  1. Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.