DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. ^[1] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. ^[2]

ID: G0017

Version: 1.0

Created: 31 May 2017

Last Modified: 17 November 2024

Version Permalink

Live Version

Software

ID	Name	References	Techniques
S0013	PlugX	^[2]	Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: Hidden Window, Hijack Execution Flow: DLL, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Local Storage Discovery, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Process Discovery, Query Registry, Reflective Code Loading, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012	PoisonIvy	^[1]	Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References

Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024.

Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.