DragonOK is back and recently targeted Japanese organizations in several industries, including manufacturing, technology, energy, higher education and semiconductor, Palo Alto Networks said in a blog post published on Thursday.
DragonOK, A China-linked hackers group has updated the toolset. Following the new decoy documents they are using to attack, researchers came to a conclusion that the hacker group is expanding their territory to Russia and Tibet.
According to the experts at Palo Alto Networks, one of the malware used by the DragonOK APT was dubbed Sysget and was used to target entities in Taiwan.The same security firm has identified three new versions of Sysget and all of them have improved over the previous generation malware which makes them hard to detect and analyse.
Sysget was delivered using phishing emails and it through specially crafted documents set up to exploit CVE-2015-1641, one of the most widely used Microsoft Office vulnerabilities to date. CVE-2015-1641 is known to have been exploited by APT actors that focus on East Asia.
PaloAlto also observed DragonOK hackers using other two families malware, the IsSpace and TidePool.“IsSpace” is an evolution of the NFlog backdoor used by both DragonOK and Moafee. The second malware TidePool was observed earlier this year in targeted attacks powered by a different Chinese APT group, dubbed Operation Ke3chang.IsSpace was previously seen in a watering hole attack targeting an aerospace company, but the samples spotted recently appear to have been updated.
DragonOK now used the TidePool malware in targeted attacks against organizations in Russia and Tibet.Share This: