SentinelOne documented a series of attacks aimed at government, education, and telecom entities in Southeast Asia and Australia carried out by a previously undocumented Chinese-speaking APT tracked as Aoqin Dragon. The APT primary focus on cyberespionage against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
The group has been active since at least 2013, the Aoqin Dragon was observed seeking initial access primarily through document exploits and the use of fake removable devices.
Other techniques employed by the APT group include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
The researchers point out that the infection chain and TTPs associated with the group evolved over the years, they divide the infection strategy into three parts:
Most of the bait documents are themed around targets who are interested in APAC political affairs, but threat actors also used lure documents themed pornographic topics.
SentinelOne reported that that Aoqin Dragon used to distinct backdoors, the first one dubbed Mongall, while the second one is a modified version of the open source Heyoka project. The threat actors are using the Mongall backdoor (“HJ-client.dll”) since at least 2013, it is not a sophisticated implant, but includes features to create a remote shell and upload and download arbitrary files.
The customized version of the Heyoka backdoor is more powerful and is able to terminate processes, manipulate files, and collect process information on a infected machine.
From 2018 to present, Aoqin Dragon has also been observed using a fake removable device as an initial infection vector. The APT has improved its malicious code over the time to avoid detection.
Below is the attack chain observed recent campaigns:
“Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade. We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network. SentinelLabs continues to track this activity cluster to provide insight into their evolution.” concludes the report.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
(SecurityAffairs – hacking, Aoqin Dragon)