Mongall

Mongall is a malicious software (malware) known for its ability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Mongall can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware operates by deploying different backdoors, including its own Mongall backdoor and a modified version of the open-source Heyoka backdoor. The payload typically includes these two backdoors, with variations such as "DLL_test loader for Mongall" and "DLL-test for DnsControl", a modified Heyoka backdoor. Attacks attributed to Aoqin Dragon, a notorious cyber threat actor, frequently drop one of these two backdoors. Mongall uses advanced techniques to maintain stealth and ensure effective communication with its command and control servers (C2). It uses GET protocol to send back information from the victim's machine, using either RC4 encryption or base64 encoding to secure the data. Communication occurs over HTTP, using ports like 5050 and 1352. To avoid detection, Mongall injects a DLL into rundll32.exe and an install module into a newly created process. Notably, Mongall's C2 servers have been identified with specific IP addresses and domains. The first observed instance of a Mongall backdoor attack was reported by Unit42 in 2015. They found that the President of Myanmar's website had been used in a watering hole attack on December 24, 2014. Since then, various versions of Mongall have surfaced, each utilizing similar tactics but with slight modifications to maintain efficacy. Faking a C2 server has allowed cybersecurity experts to capture Mongall beacon messages and develop a Python decryption script to reveal each version of the message, aiding in understanding and combating this persistent malware threat.