A previously undocumented Chinese-speaking threat actor has been quietly targeting government, education, and telecommunication organizations in Southeast Asia and Australia in cyber-espionage campaigns dating back as far as 2013.
Dubbed “Aoqin Dragon” by SentinelLabs researchers, the group is primarily focused on espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices. Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection,” the researchers said.
As per SentinelLabs, Aoqin Dragon infection strategy involves three stages:
-
Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
-
Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
-
Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.
The group is said to have some level of association with another Chinese-speaking advanced persistent threat group known as Naikon (aka PLA Unit 78020, APT 30, APT30, Override Panda, Camerashy, Lotus Panda, Hellsing, Bronze Geneva), whose primary targets are top-level government agencies and civil and military organizations.
Aoqin Dragon has been observed using document lures with pornographic themes to infect users and leveraging USB shortcut techniques to spread the malware and infect additional targets. The group’s attacks typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project, a proof-of-concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel.
During 2012 to 2015, Aoqin Dragon heavily abused vulnerabilities in Microsoft Office to compromise their targets, but since 2018 has been using a fake removable device as an initial infection vector.
“Aoqin Dragon rely heavily on the DLL hijacking technique to compromise targets and run their malware of choice. This includes their newest malware loader, Mongall backdoor, and a modified Heyoka backdoor,” the researchers noted.
While Mongall offers little in terms of features, the modified Heyoka backdoor provides the expanded functionality, as well as two hardcoded command and control servers. Although both have shell ability, the modified Heyoka backdoor is generally closer to a complete backdoor product, the researchers said.
“Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade. We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network,” SentinelLabs concluded.