Sentinel Labs has discovered the Aoqin Dragon hack group, which is engaged in cyber espionage, attacking government, educational and telecommunications organizations in Singapore, Hong Kong, Vietnam, Cambodia and Australia.Analysts have been lucky to link the hackers to malicious activity dating as far back as 2013.
Aoqin Dragon managed to remain virtually unnoticed for ten years, with only a fraction of the hackers’ activity falling into the old reports of information security companies.
Let me remind you that we also talked about the fact that Three Chinese APT Groups Attack Major Telecommunications Companies.
Experts write that the Aoqin Dragon group has achieved such secrecy by constantly improving their methods and changing tactics. And now, with the release of the Sentinel Labs report, it’s likely to happen again.
During this time, Aoqin Dragon used three different tactics to infect the targeted systems, according to the researchers. The oldest tactic, used between 2012 and 2015, exploited Microsoft Office documents and known vulnerabilities, including CVE-2012-0158 and CVE-2010-3333.
Such attacks were spotted by FireEye in 2014 while studying a spear phishing campaign by the Chinese hack group Naikon APT targeting government agencies in the Asia-Pacific region and a think tank in the United States.
The second tactic is disguising malicious executables with fake antivirus icons to trick the user into launching and activating the malware dropper.
A third tactic that Aoqin Dragon has been using from 2018 to the present is exploiting removable disk shortcuts that, when clicked, cause DLL hijacking and download an encrypted backdoor payload.
Sentinel Labs has identified two different backdoors used by this hack group: Mongall and a modified version of Heyoka. Both are DLLs that are injected into memory, decrypted, and then executed.
Mongall has been in development since at least 2013, and the latest versions feature an updated encryption protocol and Themida wrapper designed to protect against reverse engineering. The main purpose of this malware is to profile the infected host and send the collected data to the command-and-control server via an encrypted channel. Although Mongall can also perform actions on files and run shells.
The second backdoor, Heyoka, is an open-source data mining tool that uses fake DNS queries to create a bi-directional communication tunnel. This tool is used by hackers to copy files from compromised devices to make it harder for defenders to detect data theft.
At the same time, the developers of Aoqin Dragon modified Heyoka, turning it into a backdoor with support for the following commands:
- open shell;
- get information about the host disk;
- file search;
- create a file;
- create a process;
- get all information about the processes on the host;
- terminate the process;
- create a folder;
- delete file or folder.
User Review( votes)