SentinelLabs, a threat intelligence firm, found a previously unknown Chinese-speaking threat actor and was able to link it to malicious activities dating back to 2013.
Aoqin Dragon, a hacker gang based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia, specializes in cyber-espionage and targets government, education, and telecommunications organizations.
Although threat actors’ strategies have varied over time, some tactics and principles have remained constant.
Techniques of intrusion and infection
According to SentinelLabs, Aoqin Dragon has used three different infection chains since it was initially discovered. The first, which was utilized between 2012 and 2015, involves Microsoft Office documents that exploit CVE-2012-0158 and CVE-2010-3333 vulnerabilities.
In a spear-phishing effort organized by the Chinese-backed Naikon APT group in 2014, FireEye discovered this strategy in a spear-phishing campaign targeting an APAC government entity and a US think tank.
The second way of infection is to disguise harmful executables with phony anti-virus icons, deceiving users into running them and launching a malware dropper on their machines.
Aoqin Dragon has been using a detachable disk shortcut file since 2018, which when clicked, executes DLL hijacking and loads an encrypted backdoor payload.
The malware is known as “Evernote Tray Application” and starts up with the system. The payload is copied to other devices on the target’s network if the loader identifies removable devices.
SentinelLabs, a toolkit developed by Aoqin Dragon, has discovered two backdoors utilized by the threat group: Mongall and a modified version of Heyoka. Both are dynamic link libraries (DLLs) that are loaded into memory, encrypted, and executed.
Mongall has been under development since at least 2013, and the most current versions include an improved encryption mechanism as well as Themida wrapping to prevent it from reverse engineering.
Its main function is to profile the host and transfer the information to the C2 server via an encrypted connection, but it may also conduct file operations and execute shell commands.
The other backdoor, Heyoka, is an open-source exfiltration tool that creates a bidirectional communication tunnel via spoofed DNS requests.
They utilize this program to copy files from infected devices, making it more difficult for defenders to notice the group’s data theft.
The malware developers at Aoqin Dragon have tweaked Heyoka to create a bespoke backdoor that supports the following commands:
- the opening of a shell
- obtain information about the host drive
- a file search function
- data must be entered into an exit file
- make a document
- make a procedure
- in this host kill process, collect full process details
- make a folder remove a file or a folder
Exfil comes with two hardcoded command-and-control (C2) server addresses for redundancy, which are also used by Mongall, indicating that the group’s primary infrastructure is similar.
“We evaluate with moderate confidence the threat actor is a small Chinese-speaking team with potential affiliation to the Naikon APT organization, in addition to UNC94, based on our research of the targets, infrastructure, and malware composition of Aoqin Dragon operations,” SentinelLabs said.
Outlook
Aoqin Dragon managed to remain hidden for a decade, with just fragments of its operations appearing in older cybersecurity studies [PDF].
The gang has done so by constantly upgrading its methodologies and shifting tactics, which will almost certainly happen again in the wake of SentinelLabs’ analysis.
Aoqin Dragon will probably certainly continue its cyber-espionage operations, increasing its detection avoidance and switching to new evasion strategies, given that its activities fit with Chinese government political aims.
