LAC Co., Ltd.

Taking full advantage of cutting-edge technology to make way for the future.

Report An Emergency Incident
Close

24-Hour Consultation, No Reservations Necessary

Emergency Inquiries: Cyber Emergency Center ®

Emergency Response Service to quickly support our customers during security-related emergency cases.
If you are in an emergency situation, please contact us now [Cyber Emergency Center]

Find out more

For inquiries by email

email of Cyber Emergency Center ®

24-Hour Consultation, No Reservations Necessary

Emergency Inquiries: Cyber Emergency Center ®

If you are in an emergency situation, please contact us now [Cyber Emergency Center]

For inquiries by email

email of Cyber Emergency Center ®
Find out more
  1. Security Reports
  2. 2018

How PlugX is related to the APT attack group "DragonOK"

23 JAN 2018 | Warning Alert

Yoshihiro Ishikawa

Yoshihiro Ishikawa

Our Cyber Emergency Center's threat analysis team has confirmed that there have been several targeted attacks from around Oct. 2017 using *1Poison Ivy's PlugX API Hash code (hereinafter referred to as PIPX) as reported on January 12, 2017 through the JPCERT/CC.

This time, we would like to introduce a group using this malware. We discovered this group of attackers during the course of analyzing the PIPX.

For a description of the detailed functions of PIPX, please refer to the JPCERT analysis as described above.

Common Features of PIPX

Our threat analysis team has confirmed several common features of the PIPX, we would like to explain some of them here.

1. File Information and Execution Method

As shown in Figure 1 and Figure 2, the executable file that drops (installs) PIPX uses a RAR file, in a self-extracting format (SFX) with icon resource information.

In addition, the executable file is made up of 3 files, and after the DLL side-loading is exploited, the PIPX code is injected into the legitimate process "nslookup.exe" and executed. (Figure 3)

The files included in the PIPX differ slightly depending on the time of the attack. In the campaign we have seen around Oct 2017, as shown in Figure 2 (boxed in red), it was composed of 3 files, namely, "mcoemcpy.exe, mcutil.dll, Mlog.dat or macafee.res."

On the other hand, in the PIPX we have seen around April 2016, (boxed in blue dotted lines) it consisted of 3 files, "RasTls.exe, RasTls.dll, RasTls.dll.msc."

Figure 1 PIPX icon release information

Figure 1 PIPX icon release information

Figure 2 Files included in the PIPX 2017(top)

Figure 2 Files included in the PIPX 2016(bottom)

Figure 2 Files included in the PIPX 2017(top)/2016(bottom)

Figure 3 PIPX code is injected into the nslookup.exe

Figure 3 PIPX code is injected into the "nslookup.exe"

2. How Automatic Execution works

PIPX is executed automatically by a legitimate program in the Service or the Autorun Registry Key (1), after the DLL side-loading is exploited. During this process, the encrypted data is not read as a file, but it is read from the registry value stored in the specific Registry Key (2). As shown in Figure 4, it can be confirmed that the value of the data in the registry and the file data included in the PIPX are the same.

  • (1) In the case of Administrator rights, "Service" is used, but in the case of General user rights, the "Registry Key" is used
  • (2) HKLM\SOFTWARE\BINARY(In case of Administrator rights) or HKCU\SOFTWARE\BINARY(In case of User rights)

Figure 4 Comparison of payload data. Registry value (Top)

Figure 4 Comparison of payload data. Data included in the PIPX (Bottom)

Figure 4 Comparison of payload data. Registry value (Top)/ Data included in the PIPX (Bottom)

3. Configuration Information

The size of the configuration information is 0x36a4 bytes, as shown in Figure 5, the information is included, PIPX operates based on this information.

Figure 5 Configuration Information (An excerpt of the common parts in the code)

Figure 5 Configuration Information (An excerpt of the common parts in the code)

Figure 5 Configuration Information (An excerpt of the common parts in the code)

PIPX Traffic Destination

By looking at the traffic destination of the PIPX and based on related factors such as the types of malware and the infrastructure, it is clear that there is a high possibility that this crime is from the APT group called "DragonOK". DragonOK is an attack group that mainly targets manufacturing and high-tech industries in countries such as Japan and Taiwan and is reportedly based in China's Jiangsu province based on a report published by Fireye.*2

Figure 6 shows a Maltego mapping of related elements based on some of the characteristic communication patterns and destinations used by PIPX. You can see "jack[.]ondo[at]mail[.]com" (boxed in red line) as the email address used to register the domain of the C2 server. *3 As reported by Palo Alto Networks, the acquired domain (snoozetime[.]info) using this email is the same domain used by a malware called "Aveo" .

By further investigating the related elements, we can see that the IP address "104.202.173[.]82" associated with these domains is used for the domains (boxed in dotted blue line) almost at the same time. This domain, works as a C2 server and uses a malware called "Sysget" which is one of the malware used by "DragonOK" and we have confirmed that at least in Japan, this malware has been used since around 2014, and it was also used for APT attacks in late Nov 2017. In terms of functions, the "Sysget v4" *4 is considered to be the equivalent of a variant.

Figure 6 PIPX-related Traffic Destination

Figure 6 PIPX-related Traffic Destination

DragonOK Expected To Continue Activities Targeting Japan

Although DragonOK activities in Japan were hardly confirmed at the beginning of 2017, around late October, we confirmed some slightly significant movement. From this, since Japan is one of DragonOK's constant targets, we predict that they will actively target Japan on a continuous basis in the future. Our company's threat analysis team would like to continuously investigate this attacker group and will report to the public.

IOC (Indicator Of Compromise)

Hash value

97763d25af878d73d19deabe9ea2d564
29cdae7dc2a7f7376a19e4de91b69c98
58ba2c0ed39d5c874a4933677508f5cc

Traffic Destination

php[.]marbletemps[.]com
bbs[.]donkeyhaws[.]info
http[.]donkeyhaws[.]info
https[.]osakaintec[.]com
206.161.218[.]49
207.226.137[.]207
118.193.163[.]133
103.226.153[.]39

page top