Ninja
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ninja can use HTTP for C2 communications.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ninja can create the services `httpsvc` and `w3esvc` for persistence .(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
Ninja can encode C2 communications with a base64 algorithm using a custom alphabet.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Ninja can XOR and AES encrypt C2 messages.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
Ninja can store its final payload in the Registry under `$HKLM\SOFTWARE\Classes\Interface\` encrypted with a dynamically generated key based on the drive’s serial number.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
Ninja can change or create the last access or write times.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The Ninja payload is XOR encrypted and compressed.(Citation: Kaspersky ToddyCat Check Logs October 2023) Ninja has also XORed its configuration data with a constant value of `0xAA` and compressed it with the LZSS algorithm.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Enterprise | T1566 | .003 | Phishing: Spearphishing via Service |
Ninja has been distributed to victims via the messaging app Telegram.(Citation: Kaspersky ToddyCat June 2022) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Ninja can proxy C2 communications including to and from internal agents without internet connectivity.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| .003 | Proxy: Multi-hop Proxy |
Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.(Citation: Kaspersky ToddyCat June 2022) |
||
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Ninja loader components can be executed through rundll32.exe.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Ninja has gained execution through victims opening malicious executable files embedded in zip archives.(Citation: Kaspersky ToddyCat June 2022) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.