Threat Intelligence, Incident Response, Malware, TDR

‘Moafee’ and ‘DragonOK’ APT groups leverage similar attack tools, techniques

Two attack groups with differing targets and objectives have made use of similar malicious tools and techniques, leading researchers to believe the saboteurs are working “in parallel.”

According to FireEye, which blogged about attackers' activities last week, remote access trojans (RATs)– ranging from freely available ones, like Poison Ivy, to highly customized RATs – were used by two groups called "Moafee" and "DragonOK."

Moafee's activities have previously included attacks on military and government organizations with national interests in the South China Sea area, FireEye revealed in the Wednesday post. DragonOK, on the other hand, has been linked with attacks on high-tech and manufacturing firms in Taiwan and Japan.

The groups also operate in different regions of China, but the shared use of specific tools, techniques and procedures (TTPs) were explained in detail by FireEye.

Of note, both DragonOK and Moafee were found to use a poxy tool called HUC Packet Transmit Tool (HTRAN) “to disguise their geographical locations,” researchers said.

“Both utilize password-protected documents and large size files to disguise their attacks,” the blog post continued, later adding that spear phishing emails were often used an initial attack vector by Moafee and DragonOK.

In addition to utilizing Poison Ivy, a widely used RAT released in 2005 with keylogging, screen-and video-capturing, and file-transferring capabilities, the APT groups have also used other RATs called  “Mongall,” “Nflog,” and “CT/NewCT/NewCT2,” FireEye revealed.

In a Friday interview with, Thoufique Haq, a senior researcher scientist at FireEye who also co-authored the blog post, explained that the latter three RATS were considered "highly custom tools [since FireEye has] only seen three groups using them.”

Haq added that FireEye monitored Moafee between January and March of 2014, while it tracked the DragonOK group between August and December of 2013.

“We do believe that these groups have been operating for much longer than this, possibly for a few years before we observed them,” Haq said.

DragonOK, believed to operate out of China's Jiangsu Province, is thought to be after trade secrets so attackers can gain a “competitive economic advantage in the area,” the blog post said. While, Moafee's activities have “national security implications” due to their military and government targets, Haq told

FireEye determined that the groups may be tied through attack collaboration, or by possibly receiving the same training regimen. Other possibilities were that the groups share a common toolkit supply chain, or that a combination of all of the aforementioned scenarios exists," which means they are employing a ‘production line'-type approach to initiating cyber attacks to breach defenses,” the blog post said.

FireEye also noted that a third attack group appeared to be using the same tools, techniques and procedures, as well, but that there was not yet enough evidence for them to make the Moafee-DragonOK connection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.