Aoqin Dragon hackers use espionage to target government, education, telecoms across Southeast Asia, Australia

SentinelOne researchers disclosed Thursday the presence of Aoqin Dragon, a threat hacker that SentinelLabs has been extensively tracking, and operating since 2013. The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests, attacking the government, education, and telecommunication organizations in Southeast Asia and Australia. The hacker’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. 

“The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets,” Joey Chen wrote in a SentinelOne blog post. “Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open-source Heyoka project.” 

The SentinelOne research follows a joint cybersecurity advisory issued by U.S. security agencies this week outlining the ways in which Chinese state-sponsored hackers continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. The advisory identified that these People’s Republic of China (PRC) state-sponsored hackers frequently utilize open-source tools for reconnaissance and vulnerability scanning, and use the network to exploit various targets worldwide, including public and private sector organizations.

SentinelOne said that Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices. Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection. Moreover, “based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant),” the post added.

Chen also identified that the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. “We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network. SentinelLabs continues to track this activity cluster to provide insight into their evolution,” he added.

Throughout the analysis of Aoqin Dragon campaigns, SentinelOne observed a clear evolution in their infection chain and TTPs. It divided its infection strategy into three parts – using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor, luring users into double-clicking a fake anti-virus to execute malware in the victim’s host, and forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

SentinelOne said that between 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets. “FireEye published a blog in 2014 detailing related activity using lure documents themed around the disappearance of Malaysia Airlines Flight MH370 to conduct their attacks. Although those vulnerabilities are very old and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was very common in that period,” it added.

The research detected three interesting points from these decoy documents. “First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia,” it added.

From 2018 onwards, the Aoqin Dragon hacker has also been observed using a fake removable device as an initial infection vector. Over time, the actor upgraded the malware to protect it from being detected and removed by security products.

Some of its recent campaigns include a Removable Disk shortcut file made which contains a specific path to initiate the malware, when a user clicks the fake device, it will execute the ‘Evernote Tray Application’ and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe, after executing the loader, it will check if it is in any attached removable devices, and if the loader is not in the removable disk, it will copy all the modules, including normal files, the backdoor loader, and an encrypted backdoor payload.

Other attacks are when the malware sets the auto start function with the value ‘EverNoteTrayUService’. When the user restarts the computer, it will execute the ‘Evernote Tray Application’ and use DLL hijacking to load the malicious loader. The hackers also targeted when the loader would check the file path first and decrypt the payloads. There are two payloads in this attack chain: the first payload is the spreader, which copies all malicious files to removable devices; the second one is an encrypted backdoor that injects itself into rundll32’s memory.

SentinelOne also revealed that the Aoqin Dragon relies heavily on the DLL hijacking technique to compromise targets and run their malware of choice, including their newest malware loader, Mongall backdoor, and a modified Heyoka backdoor.

Last month, the SentinelLabs researchers revealed the activity of a Chinese-aligned cyberespionage hacker group operating in Central Asia, dubbed ‘Moshen Dragon,’ targeting the telecommunication sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.