Group description: DragonOK

DragonOK, Group G0017 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups DragonOK DragonOK DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee . [1] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [2] ID: G0017 Version : 1.0 Created: 31 May 2017 Last Modified: 17 November 2024 Version Permalink Live Version Software ID Name References Techniques S0013 PlugX [2] Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Staged : Local Data Staging , Debugger Evasion , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hide Artifacts : Hidden Window , Hijack Execution Flow : DLL , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : Clear Persistence , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Native API , Network Share Discovery , Non-Application Layer Protocol , Non-Standard Port , Obfuscated Files or Information : Binary Padding , Obfuscated Files or Information : Dynamic API Resolution , Obfuscated Files or Information , Obfuscated Files or Information : Encrypted/Encoded File , Peripheral Device Discovery , Process Discovery , Query Registry , Reflective Code Loading , Replication Through Removable Media , Scheduled Task/Job : Scheduled Task , Screen Capture , System Information Discovery , System Location Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Time Discovery , Trusted Developer Utilities Proxy Execution : MSBuild , User Execution : Malicious File , Virtualization/Sandbox Evasion : System Checks , Web Service : Dead Drop Resolver S0012 PoisonIvy [1] Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Active Setup , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data from Local System , Data Staged : Local Data Staging , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , Process Injection : Dynamic-link Library Injection , Rootkit References Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015. × load more results