Knowledge Center

Important information about Night Dragon
Technical Articles ID:   KB71150
Last Modified:  4/7/2017


Multiple McAfee products
Night Dragon attacks


McAfee uncovered a major string of attacks designed to steal sensitive data from targeted organizations. McAfee has named these attacks Night Dragon.

McAfee has added Night Dragon protection (and protection to similar threats) to its security solutions. For the best defense against Night Dragon and other attacks, McAfee recommends you use its latest endpoint and network solutions, with updated signatures and Global Threat Intelligence (GTI) enabled. Although Night Dragon attacks are not linked to Operation Aurora (http://www.mcafee.com/us/threat-center/operation-aurora.aspx), both are Advanced Persistent Threats (APTs). APTs combine social engineering with well-coordinated, targeted, cyber-attacks using Trojans, remote control software, and other malware. 

Attack Details
Night Dragon attacks use coordinated, covert, and targeted cyber-attacks involving: social engineering, spear phishing, vulnerability exploits in the Windows operating system, Active Directory compromises, and Remote Administration Tools (RATs).

The Night Dragon attack sequence is as follows:
  1. Compromise public-facing web servers via SQL injection; install malware and RATs.
  2. Use the compromised web servers to stage attacks on internal targets.
  3. Launch spear-phishing attacks on mobile worker laptops to compromise VPN-connected accounts and gain additional internal access.
  4. Use password stealing tools to access other systems and install RATs and malware in the process.
  5. Target computers that belong to executives to capture their email and files.
How can you find out if you are infected?
Update your DAT files to the latest version, ensure On-Demand Scans are working properly, and perform a full file system virus scan. Review ePolicy Orchestrator (ePO) anti-virus alerts and network logs to identify compromised systems. The first DAT version to detect Night Dragon is 6232.

McAfee tools to assist you:

Is network / intrusion detection available?
Yes. Monitor network communications for the following string, which indicates an infected computer is sending a "beacon" to a Command and Control (C&C) Server:

Contact Technical Support for extra network intelligence support.
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
Can you find Night Dragon without computer forensics?
Yes. The DLL is a Hidden or System file attribute and can be found by size (19-23 KB). It is usually located in the C:\Windows\System32 or C:\Windows\SysWow64 directory.
Additional artifacts exist on the file system that can identify when the dropper installed the backdoor DLL and what types of activities the attacker conducted (for example, Remote Desktop and the Command Shell).

If you find Night Dragon, do you need to worry about it infecting other computers?
No. Night Dragon is a Trojan backdoor. It has no Worm infection capability and does not self-propagate. Attackers typically install Night Dragon on different computers using a Trojan dropper file (.exe) on a Windows share.

How do McAfee products combat Night Dragon?
APTs are sophisticated, multi-faceted attacks that require a coordinated and well-architected defense. McAfe has added Night Dragon protection to all products using DAT files, and specifically to the following point products:
McAfee product Coverage Product information
Application Control  Application Control prevents malware by not allowing unapproved software to run. http://www.mcafee.com/us/products/application-control.aspx
Configuration Control Configuration Control disallows unapproved configuration changes. http://www.mcafee.com/us/products/configuration-control.aspx
Data Loss Protection Data Loss Protection prevents and detects the extraction of sensitive data. http://www.mcafee.com/us/products/data-protection/data-loss-prevention.aspx
Email and Web Security Email and Web Security offers protection against phishing. http://www.mcafee.com/us/products/saas-email-and-web-protection-suite.aspx
Email Gateway Email Gateway offers protection against phishing. http://www.mcafee.com/us/products/email-gateway.aspx 
Endpoint Encryption Endpoint Encryption reduces usability of targeted, sensitive information. http://www.mcafee.com/us/products/endpoint-encryption.aspx
Host Intrusion Prevention Host Intrusion Prevention with GTI delivers protection against RATs.
Host Intrusion Prevention with SQL Server Protection provides protection for SQL Servers.
Host Intrusion Prevention with Generic Buffer Overflow protection (GBOP) provides protection against general exploit-based attacks.
Policy Auditor Policy Auditor detects security weaknesses in compromised systems. http://www.mcafee.com/us/products/policy-auditor.aspx
Risk Advisor Risk Advisor provides visibility into configuration errors and security gaps that allow exploitation. http://www.mcafee.com/us/products/risk-advisor.aspx
Network Security Manager    Network Security Manager detects malicious traffic on the network and alerts, allowing rapid response.

The referenced article is available only to registered ServicePortal users.

To view registered articles:
  1. Log on to the ServicePortal at http://support.mcafee.com.
  2. Type the article ID in the search field on the home page.
  3. Click Search or press Enter.
Network Threat Response Network Threat Response detects command and control traffic. http://www.mcafee.com/us/products/network-threat-response.aspx
VirusScan Enterprise VirusScan Enterprise provides protection with DAT 6232 and later. http://www.mcafee.com/us/products/virusscan-enterprise.aspx
Vulnerability Manager Vulnerability Manager detects infected systems as well as the security weaknesses in those systems. http://www.mcafee.com/us/products/vulnerability-manager.aspx
Web Gateway Web Gateway mitigates RAT operations. http://www.mcafee.com/us/products/web-gateway.aspx

IMPORTANT: It is a best practice to install the latest available security updates.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.