Skip to content

G0017 DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 1 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. 2

Item Value
ID G0017
Associated Names
Version 1.0
Created 31 May 2017
Last Modified 22 March 2019
Navigation Layer View In ATT&CK® Navigator

Software

ID Name References Techniques
S0013 PlugX 2 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 1 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit

References

  1. Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015. 

  2. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.