<— Back

Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years

Executive Summary

  • Aoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations primarily in Southeast Asia and Australia.
  • Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
  • Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
  • Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to what Mandiant largely tracks as UNC94.

Overview

SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as ‘Aoqin Dragon’. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

Threat Actor Infection Chain

Throughout our analysis of Aoqin Dragon campaigns, we observed a clear evolution in their infection chain and TTPs. We divide their infection strategy into three parts.

  1. Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
  2. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
  3. Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system. Initial Access via Exploitation of Old and Unpatched Vulnerabilities

During 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets. In 2014, FireEye published a blog detailing related activity using lure documents themed around the disappearance of Malaysia Airlines Flight MH370 to conduct their attacks. Although those vulnerabilities are very old and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was very common in that period.

There are three interesting points that we discovered from these decoy documents. First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia.

Joey Chen

Joey Chen is working as a Cyber Threat Researcher for SentinelOne Incorporated in Taiwan. His major areas of research include incident response, APT investigation, malware analysis and cryptography analysis. He has been a speaker at HITB, Virus Bulletin, CODEBLUE, DeepIntel, HITCON and CYBERSEC etc. Now he is focusing on the security issues of target attack, emerging threats and IOT systems. He also develops an automation intelligence platform to help his team get more sleep at night.