A China-linked threat group known as DragonOK has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.
The first report on DragonOK’s activities was published by FireEye in September 2014. At the time, the security firm said the threat actor focused on high-tech and manufacturing companies in Japan and Taiwan, and noted that its goal appeared to be economic espionage.
In Japan, considered DragonOK’s main target, the group has recently attacked organizations in several industries, including manufacturing, higher education, technology, energy and semiconductor, Palo Alto Networks said in a blog post published on Thursday.
One of the pieces of malware known to be used by the actor, dubbed “Sysget,” has been delivered to targets in Taiwan. The security firm has observed three new versions of Sysget and they have all been improved with features that make them more difficult to detect and analyze.
Sysget has been delivered via phishing emails and specially crafted documents set up to exploit CVE-2015-1641, one of the most widely used Microsoft Office vulnerabilities. CVE-2015-1641 is known to have been exploited by APT actors that focus on East Asia.
The group also targeted Taiwan with a piece of malware named “IsSpace.” This Trojan is believed to be an evolution of the NFlog backdoor, which has been used by both DragonOK and a different China-based threat group tracked as Moafee. IsSpace was previously seen in a watering hole attack targeting an aerospace company, but the samples spotted recently appear to have been updated.
Palo Alto Networks said recent DragonOK attacks also involved a piece of malware known as TidePool. Researchers observed this Trojan earlier this year in attacks launched by a different China-linked group against Indian embassies, but it had not been used by DragonOK in earlier campaigns. DragonOK appears to have leveraged TidePool in attacks aimed at entities in Russia and Tibet.
The Russian-language decoy document used by the attackers referenced GOST, a block cipher developed by the Russian government in the 1970s. The malicious document believed to be aimed at Tibet, or individuals interested in Tibetan affairs, contained an internal newsletter from the Central Tibetan Ministry.
Researchers only discovered a handful of links between the C&C domains of TidePool, IsSpace and Sysget, including a registrant email address associated with domains used by Sysget and TidePool.
Additional technical details on the malware and infrastructure observed in these DragonOK attacks are available in Palo Alto Networks’ blog post.