Pierluigi Paganini June 09, 2022

Researchers spotted a previously undocumented Chinese-speaking APT, tracked as Aoqin Dragon, targeting entities in Southeast Asia and Australia.

SentinelOne documented a series of attacks aimed at government, education, and telecom entities in Southeast Asia and Australia carried out by a previously undocumented Chinese-speaking APT tracked as Aoqin Dragon. The APT primary focus on cyberespionage against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. 

The group has been active since at least 2013, the Aoqin Dragon was observed seeking initial access primarily through document exploits and the use of fake removable devices.

Other techniques employed by the APT group include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.

The researchers point out that the infection chain and TTPs associated with the group evolved over the years, they divide the infection strategy into three parts:

1. Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
2. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
3. Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

Most of the bait documents are themed around targets who are interested in APAC political affairs, but threat actors also used lure documents themed pornographic topics.

SentinelOne reported that that Aoqin Dragon used to distinct backdoors, the first one dubbed Mongall, while the second one is a modified version of the open source Heyoka project. The threat actors are using the Mongall backdoor (“HJ-client.dll”) since at least 2013, it is not a sophisticated implant, but includes features to create a remote shell and upload and download arbitrary files.

The customized version of the Heyoka backdoor is more powerful and is able to terminate processes, manipulate files, and collect process information on a infected machine.

Between 2012 and 2015, the Aoqin Dragon actors heavily relied on exploits for CVE-2012-0158 and CVE-2010-3333 vulnerabilities.

From 2018 to present, Aoqin Dragon has also been observed using a fake removable device as an initial infection vector. The APT has improved its malicious code over the time to avoid detection.

Below is the attack chain observed recent campaigns:

1. A Removable Disk shortcut file is made which contains a specific path to initiate the malware.
2. When a user clicks the fake device, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe.
3. After executing the loader, it will check if it is in any attached removable devices.
4. If the loader is not in the removable disk, it will copy all the modules under “%USERPROFILE%\AppData\Roaming\EverNoteService\”, which includes normal files, the backdoor loader and an encrypted backdoor payload.
5. The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.
6. The loader will check the file path first and decrypt the payloads. There are two payloads in this attack chain: the first payload is the spreader, which copies all malicious files to removable devices; the second one is an encrypted backdoor which injects itself into rundll32’s memory.

“Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade. We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network. SentinelLabs continues to track this activity cluster to provide insight into their evolution.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Aoqin Dragon)

[adrotate banner=”5″]

[adrotate banner=”13″]