FireEye investigated the “production line” approach taken up by various APT groups infiltrating organizations.
FireEye investigated the “production line” approach taken up by various APT groups infiltrating organizations.

Two attack groups with differing targets and objectives have made use of similar malicious tools and techniques, leading researchers to believe the saboteurs are working “in parallel.”

According to FireEye, which blogged about attackers' activities last week, remote access trojans (RATs)– ranging from freely available ones, like Poison Ivy, to highly customized RATs – were used by two groups called "Moafee" and "DragonOK."

Moafee's activities have previously included attacks on military and government organizations with national interests in the South China Sea area, FireEye revealed in the Wednesday post. DragonOK, on the other hand, has been linked with attacks on high-tech and manufacturing firms in Taiwan and Japan.

The groups also operate in different regions of China, but the shared use of specific tools, techniques and procedures (TTPs) were explained in detail by FireEye.

Of note, both DragonOK and Moafee were found to use a poxy tool called HUC Packet Transmit Tool (HTRAN) “to disguise their geographical locations,” researchers said.

“Both utilize password-protected documents and large size files to disguise their attacks,” the blog post continued, later adding that spear phishing emails were often used an initial attack vector by Moafee and DragonOK.

In addition to utilizing Poison Ivy, a widely used RAT released in 2005 with keylogging, screen-and video-capturing, and file-transferring capabilities, the APT groups have also used other RATs called  “Mongall,” “Nflog,” and “CT/NewCT/NewCT2,” FireEye revealed.

In a Friday interview with SCmagazine.com, Thoufique Haq, a senior researcher scientist at FireEye who also co-authored the blog post, explained that the latter three RATS were considered "highly custom tools [since FireEye has] only seen three groups using them.”