A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013.
Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.
The threat actor’s techniques have evolved throughout the years, but some tactics and concepts remain unchanged.
Intrusion and infection tactics
Aoqin Dragon has employed three distinct infection chains since it was first spotted, according to SentinelLabs. The earliest, used between 2012 and 2015, involves Microsoft Office documents that exploit known vulnerabilities like CVE-2012-0158 and CVE-2010-3333.
This tactic was spotted by FireEye in 2014 in a spear-phishing campaign coordinated by the Chinese-backed Naikon APT group, targeting an APAC government entity and a US think tank.
The second infection method is masking malicious executables with fake anti-virus icons, tricking the users into launching them, and activating a malware dropper on their devices.
From 2018 until now, Aoqin Dragon has turned to using a removable disk shortcut file that, when clicked, performs DLL hijacking and loads an encrypted backdoor payload.
The malware runs under the name “Evernote Tray Application” and executes upon system start. If the loader detects removable devices, it also copies the payload to infect other devices on the target’s network.
Aoqin Dragon’s toolset
SentinelLabs has identified two different backdoors used by the particular threat group, Mongall and a modified version of Heyoka. Both are DLLs that are injected into memory, decrypted, and executed.
Mongall has been under development since at least 2013, and recent versions feature an upgraded encryption protocol and Themida wrapping designed to protect it against reverse engineering.
Its primary purpose is to profile the host and send the details to the C2 server using an encrypted channel, but it’s also capable of performing file actions and executing shell.
The other backdoor, Heyoka, is an open-source exfiltration tool that uses spoofed DNS requests to create a bidirectional communication tunnel.
They use this tool when copying files from compromised devices to make it harder for defenders to detect the group’s data theft activity.
Aoqin Dragon’s malware developers have modified Heyoka to create a custom backdoor with support for the following commands:
open a shell
get host drive information
search file function
input data in an exit file
create a file
create a process
get all process information in this host
kill process
create a folder
delete file or folder
The exfil tool also comes with two hardcoded command-and-control (C2) server addresses for redundancy, also used by Mongall, so there’s an overlap in the group’s primary infrastructure.
“Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to the Naikon APT group, in addition to UNC94,” SentinelLabs said.
Outlook
Aoqin Dragon managed to stay in the shadows for a decade, with only parts of its operation surfacing in older reports [PDF] by cybersecurity firms.
The group has achieved this by continuously evolving its techniques and changing tactics, which will likely happen again following the exposure it got after SentinelLabs’ report.
Considering that its activities align with Chinese government political interests, it’s almost certain that Aoqin Dragon will continue its cyber-espionage operations, improving its detection avoidance and switching to new evasion tactics.