Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013

SentinelOne security researchers have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013.

Dubbed Aoqin Dragon, the group was observed switching from the use of malicious documents to employing a fake antivirus, and more recently using a fake removable drive to lure intended victims into installing malware on their systems.

The threat actor heavily relies on the USB shortcut technique to infect additional targets, SentinelOne says. The group typically drops one of two backdoors on a compromised system, namely Mongall or a modified variant of Heyoka.

According to SentinelOne, the ongoing Aoqin Dragon activity has been mainly focused on spying on organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

Between 2012 and 2015, it mainly targeted victims with malicious documents exploiting CVE-2012-0158 and CVE-2010-3333. While patches for these bugs had been released before Aoqin Dragon’s exploitation attempts, “this kind of RTF-handling vulnerability decoy was very common in that period,” SentinelOne notes.

The attackers used pornographic themes to lure victims into opening the malicious documents, they included in most documents decoy content themed around APAC political affairs, and used documents that are specific to the entirety of Southeast Asia.

Aoqin Dragon also employed executable files that featured modified file icons to pose as Windows folders or antivirus applications, but which instead dropped a backdoor on the victim’s system.

The executable dropper typically contained a script that was designed to search the system for Microsoft Word documents. The dropper also acted as a worm, abusing removable devices to spread the malware to additional hosts.

In recent campaigns, the attack chain features a removable disk shortcut file that leads to malware execution. DLL hijacking is employed to execute a malicious loader as explorer.exe.

The loader then checks for attached removable devices, copies malware modules to the AppData folder, and then sets the auto start function to the location of the malicious files, so that the loader is executed at system reboot.

The loader then decrypts two payloads, namely a spreader designed to copy all malicious files to removable drives, and an encrypted backdoor that injects itself into the rundll32 process.

The security researchers have identified several versions of Mongall, a small backdoor that the threat actor has been using since 2013. The threat was designed to create a remote shell and to download and upload files, and uses the GET protocol for data transmission.

Aoqin Dragon was also observed using a modified version of Heyoka, an open source project designed to exfiltrate data through spoofed DNS requests that create a bidirectional tunnel. The cyberspies deploy this tool on the victim’s system using DLL injection.

The malware authors also expanded the project’s capabilities and added two hardcoded command and control (C&C) servers to it. Featuring the same capabilities as Mongall, the backdoor also checks if it runs as a service or not, to ensure it has privileges to be persistent.

“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented,” SentinelOne notes.

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware