SentinelLabs has uncovered a cluster of activity by threat actor, Aoqin Dragon, dating at least as far back as 2013. Aoqin Dragon’s primary focus is assessed to be espionage, targeting government, education and telecommunication organisations in south-east Asia and Australia.
The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project. Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files and DNS tunnelling to evade post-compromise detection.
Based on its analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, SentinelLabs assesses with moderate confidence the threat actor is a small Chinese-speaking team with potential association to the Naikon APT group, in addition to UNC94.
Aoqin Dragon’s infection strategy is comprised of three parts:
- Using a document exploit and tricking the user into opening a weaponised Word document to install a backdoor.
- Luring users into double-clicking a fake antivirus to execute malware in the victim’s host.
- Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.
The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. SentinelLabs primarily observed Aoqin Dragon targeting government, education and telecommunication organisations in south-east Asia and Australia, and considering this long-term effort and continuous targeted attacks for the past few years, the threat actor’s motives are assessed to be espionage-oriented.
Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade, and the Aoqin Dragon group has been observed evolving TTPs several times in order to stay under the radar.