Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.
Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is âa small Chinese-speaking team with potential association to [an APT called] UNC94,â they reported.
Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.
âAoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,â researchers wrote.
Aoqin Dragonâs Evolving Stealth Tactics
Part of whatâs helped Aoqin Dragon stay under the radar for so long is that theyâve evolved. For example, the means the APT used to infect target computers has evolved.
In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities â specifically, CVE-2012-0158 and CVE-2010-3333 â which their targets might not have yet patched.
Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackersâ command-and-control (C2) servers.
Since 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the targetâs broader network.
The group has employed other techniques to stay off-the-radar. Theyâve used DNS tunneling â manipulating the internetâs domain name system to sneak data past firewalls. One backdoor leverage â known as Mongall â encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to â pgraded the malware to protect it from being detected and removed by security products.â
Nation-State Links
Targets have tended to fall in just a few buckets â government, education and telecoms, all in and around Southeast Asia. Researchers assert âthe targeting of Aoqin Dragon closely aligns with the Chinese governmentâs political interests.â
Further evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.
Most important of all, the researchers highlighted an overlapping attack on the president of Myanmarâs website back in 2014. In that case, police traced the hackersâ command-and-control and mail servers to Beijing. Aoqin Dragonâs two primary backdoors âhave overlapping C2 infrastructure,â with that case, âand most of the C2 servers can be attributed to Chinese-speaking users.â
Still, âproperly identifying and tracking State and State Sponsored threat actors can be challenging,â Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. âSentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesnât appear in other lists, shows how hard it can be âto be sureâ when youâre identifying a new threat actor.â