Aoqin Dragon: Newly-discovered Chinese-linked APT has been quietly spying on organisations for 10 years
June 2022 by SentinelLabs
SentinelLabs has uncovered a cluster of activity by threat actor Aoqin Dragon, dating at least as far back as 2013. Aoqin Dragon’s primary focus is assessed to be espionage, targeting government, education, and telecommunication organisation in Southeast Asia and Australia.
The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modiﬁed version of the open source Heyoka project. Other techniques the attacker has been observed using include DLL hijacking, Themida-packed ﬁles, and DNS tunneling to evade post-compromise detection.
Based on its analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, SentinelLabs assesses with moderate conﬁdence the threat actor is a small Chinese-speaking team with potential association to the Naikon APT group, in addition to UNC94.
Aoqin Dragon’s infection strategy is comprised of three parts:
Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.
The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. SentinelLabs primarily observed Aoqin Dragon targeting government, education, and telecommunication organisations in Southeast Asia and Australia, and considering this long-term effort and continuous targeted attacks for the past few years, the threat actor’s motives are assessed to be espionage-oriented.
Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade, and the Aoqin Dragon group has been observed evolving TTPs several times in order to stay under the radar. SentinelLabs fully expects that Aoqin Dragon will continue conducting espionage operations and considers it is likely they will also continue to advance their tradecraft, ﬁnding new methods of evading detection and stay longer in their target network.