Night Dragon


McAfee has identified a string of attacks designed to steal sensitive data from targeted organizations. Unlike opportunistic attacks, the perpetrators appear to be sophisticated, highly organized, and motivated in their pursuits.

Night Dragon attacks are similar to Operation Aurora and other advanced persistent threats, or APTs, in that they employ a combination of social engineering and well-coordinated, targeted, cyberattacks using Trojans, remote control software, and other malware. While the Night Dragon attacks have only recently been on the rise, McAfee has linked these attacks to intrusions starting in November 2009 which may be leveraging techniques detected as early as 2008. Now, new Night Dragon attacks are being identified every day.

McAfee has evidence of Night Dragon malware infections in the Americas, Europe, and Asia as well as countries in the Middle East and North Africa. McAfee has also identified tools, techniques, and network activities utilized during these continuing attacks that point to individuals in China as the primary source. The Night Dragon attackers are currently targeting global oil, energy, and petrochemical companies with the apparent intent of stealing sensitive information such as operation details, exploration research, and financial data. As we saw with the WikiLeaks document disclosures brought upon by a malicious insider, sensitive data theft can be highly damaging beyond regulatory penalties and lost revenue. And unlike Stuxnet, the tools and techniques behind Night Dragon are not specific to critical infrastructure and can be used to launch attacks against any industry.

Attack Details

Night Dragon attacks leverage coordinated, covert, and targeted cyberattacks involving social engineering, spearphishing, vulnerability exploits in the Windows operating system, Active Directory compromises, and remote administration tools or RATs. The attack sequence is as follows:

  • Public-facing web servers are compromised via SQL injection; malware and RATs are installed.
  • The compromised web servers are used to stage attacks on internal targets.
  • Spearphishing attacks on mobile, VPN-connected workers are used to gain additional internal access.
  • Attackers use password-stealing tools to access other systems—installing RATs and malware as they go.
  • Systems belonging to executives are targeted for emails and files which are captured by the attackers.

Common Questions and Answers

Q: How can we find out if we’re infected?
A: Update your antivirus .DATs to at least 6232, ensure on-demand scans are working properly, and perform a full file system virus scan. Review McAfee ePO, anti-virus alerts, and network logs to identify compromised systems. 
McAfee offers tools to assist you:

If you have discovered the presence of Night Dragon in your environment and would like incident response or forensics assistance, please call Foundstone Services at 1-888-847-8766.

Q: Is there network/IDS detection available?
A: Yes. Monitor network communications for this string that indicates an infected computer sending a "beacon" to a command and control server: \x01\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x68\x57\x24\x13. Contact McAfee for additional network intelligence support.

Q: Can we find Night Dragon without computer forensics?
A: Yes. The DLL is simply a Hidden or System file attribute and can be found by size (19 – 23Kb) usually in the c:\Windows\System32 or c:\Windows\SysWow64 directory. Additional artifacts exist on the file system that can identify when the dropper installed the backdoor DLL, and what types of activities the attacker conducted (Remote Desktop, Command Shell, etc.).

Q: If we find Night Dragon do we need to worry about it infecting other computers?
A: No. Night Dragon has no "worm" infection capability and does not self-propagate. Night Dragon is a Trojan backdoor that is installed on a system using a Trojan dropper (.exe) file that is copied to computers by an attacker—usually over Windows shares.