Skip to content
Evidence suggests that a just-discovered APT has been active since 2013.
Researchers have identified a small, yet nasty, China-linked APT that has remained undiscovered for almost a decade running campaigns against Govt., education & telecommunication organisations in Southeast Asia & Australia.
Researchers from Sentinel Labs stated the APT, which they called ‘Aoqin Dragon’, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to an APT called UNC94,” they reported.
Malicious Documents
Researchers say one of the tactics & techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to encourage targets to download them.
“Aoqin Dragon seeks initial access primarily through document exploits & the use of fake removable devices,” researchers wrote.
Evolving Stealth Tactics
Part of what is helped Aoqin Dragon stay unknown for so long is that they have evolved. E.g., the means the APT used to infect target computers has evolved.
In their 1st few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 & CVE-2010-3333 – which their targets might not have yet patched.
Then, Aoqin Dragon created executable files with desktop icons that made them appear to look just like Windows folders or antivirus software. These programs were really malicious ‘droppers’ which installed backdoors, & then established connections back to the attackers’ command-&-control (C2) servers.
Fake Removable Device
From 2018, the group has been using a fake removable device as their infection method. When a user clicks to open what seems to be a removable device folder, they really start a chain reaction which downloads a backdoor & C2 connection to their machine.
Not only this, but the malware also copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host &, hopefully, into the target’s broader network.
Other Methods
The group has used other methods to remain invisible. They have used DNS tunnelling – manipulating the internet’s domain name system to get data past firewalls.
One backdoor used – known as Mongall – encrypts communication data between host & C2 server. Over the years, the researchers explained, the APT began slowly working the fake removable disc technique. This was done to ”pre-graded the malware to protect it from being detected & removed by security products.”
Nation-State Links
Targets have tended to be of just a few sorts – Govt., education & telecoms, all in & around SE Asia. Researchers suggest that “the targeting of Aoqin Dragon closely aligns with the Chinese Govt’s political interests.”
Further suggestion of China influence includes a ‘debug log’ found by researchers that contains simplified Chinese characters.
Most importantly, the researchers highlighted an overlapping attack on the President of Myanmar’s website in 2014. In this case, police traced the hackers’ command-&-control & mail servers to China. Aoqin Dragon’s 2 primary backdoors “have overlapping C2 infrastructure,” with that case, “and most of the C2 servers can be attributed to Chinese-speaking users.”
State Sponsored
“Properly identifying & tracking State & State Sponsored threat actors can be challenging,” Mike Parkin, Senior Technical Engineer at Vulcan Cyber, wrote.
“Sentinel One releasing the information now on an APT group that has apparently been active for almost a decade, & doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”
