Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013

SentinelOne security researchers have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013.

SentinelOne security researchers have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013.

Dubbed Aoqin Dragon, the group was observed switching from the use of malicious documents to employing a fake antivirus, and more recently using a fake removable drive to lure intended victims into installing malware on their systems.

The threat actor heavily relies on the USB shortcut technique to infect additional targets, SentinelOne says. The group typically drops one of two backdoors on a compromised system, namely Mongall or a modified variant of Heyoka.

According to SentinelOne, the ongoing Aoqin Dragon activity has been mainly focused on spying on organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

Between 2012 and 2015, it mainly targeted victims with malicious documents exploiting CVE-2012-0158 and CVE-2010-3333. While patches for these bugs had been released before Aoqin Dragon’s exploitation attempts, “this kind of RTF-handling vulnerability decoy was very common in that period,” SentinelOne notes.

The attackers used pornographic themes to lure victims into opening the malicious documents, they included in most documents decoy content themed around APAC political affairs, and used documents that are specific to the entirety of Southeast Asia.

Aoqin Dragon also employed executable files that featured modified file icons to pose as Windows folders or antivirus applications, but which instead dropped a backdoor on the victim’s system.

The executable dropper typically contained a script that was designed to search the system for Microsoft Word documents. The dropper also acted as a worm, abusing removable devices to spread the malware to additional hosts.

Advertisement. Scroll to continue reading.

In recent campaigns, the attack chain features a removable disk shortcut file that leads to malware execution. DLL hijacking is employed to execute a malicious loader as explorer.exe.

The loader then checks for attached removable devices, copies malware modules to the AppData folder, and then sets the auto start function to the location of the malicious files, so that the loader is executed at system reboot.

The loader then decrypts two payloads, namely a spreader designed to copy all malicious files to removable drives, and an encrypted backdoor that injects itself into the rundll32 process.

The security researchers have identified several versions of Mongall, a small backdoor that the threat actor has been using since 2013. The threat was designed to create a remote shell and to download and upload files, and uses the GET protocol for data transmission.

Aoqin Dragon was also observed using a modified version of Heyoka, an open source project designed to exfiltrate data through spoofed DNS requests that create a bidirectional tunnel. The cyberspies deploy this tool on the victim’s system using DLL injection.

The malware authors also expanded the project’s capabilities and added two hardcoded command and control (C&C) servers to it. Featuring the same capabilities as Mongall, the backdoor also checks if it runs as a service or not, to ensure it has privileges to be persistent.

“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented,” SentinelOne notes.

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...