Chinese Hack Group Aoqin Dragon Has Been Quietly Attacking Companies Since 2013

Sentinel Labs has discovered the Aoqin Dragon hack group, which is engaged in cyber espionage, attacking government, educational and telecommunications organizations in Singapore, Hong Kong, Vietnam, Cambodia and Australia.

Analysts have been lucky to link the hackers to malicious activity dating as far back as 2013.
Aoqin Dragon managed to remain virtually unnoticed for ten years, with only a fraction of the hackers’ activity falling into the old reports of information security companies.

Let me remind you that we also talked about the fact that Three Chinese APT Groups Attack Major Telecommunications Companies.

Experts write that the Aoqin Dragon group has achieved such secrecy by constantly improving their methods and changing tactics. And now, with the release of the Sentinel Labs report, it’s likely to happen again.

Aoqin Dragon hack band

During this time, Aoqin Dragon used three different tactics to infect the targeted systems, according to the researchers. The oldest tactic, used between 2012 and 2015, exploited Microsoft Office documents and known vulnerabilities, including CVE-2012-0158 and CVE-2010-3333.

Such attacks were spotted by FireEye in 2014 while studying a spear phishing campaign by the Chinese hack group Naikon APT targeting government agencies in the Asia-Pacific region and a think tank in the United States.

The second tactic is disguising malicious executables with fake antivirus icons to trick the user into launching and activating the malware dropper.

A third tactic that Aoqin Dragon has been using from 2018 to the present is exploiting removable disk shortcuts that, when clicked, cause DLL hijacking and download an encrypted backdoor payload.

This malware is called Evernote Tray Application and runs at system startup. If the bootloader detects available removable devices, it copies the payload to them as well in order to infect other devices on the target network.the researchers said.

Sentinel Labs has identified two different backdoors used by this hack group: Mongall and a modified version of Heyoka. Both are DLLs that are injected into memory, decrypted, and then executed.

Mongall has been in development since at least 2013, and the latest versions feature an updated encryption protocol and Themida wrapper designed to protect against reverse engineering. The main purpose of this malware is to profile the infected host and send the collected data to the command-and-control server via an encrypted channel. Although Mongall can also perform actions on files and run shells.

The second backdoor, Heyoka, is an open-source data mining tool that uses fake DNS queries to create a bi-directional communication tunnel. This tool is used by hackers to copy files from compromised devices to make it harder for defenders to detect data theft.

At the same time, the developers of Aoqin Dragon modified Heyoka, turning it into a backdoor with support for the following commands:

  1. open shell;
  2. get information about the host disk;
  3. file search;
  4. create a file;
  5. create a process;
  6. get all information about the processes on the host;
  7. terminate the process;
  8. create a folder;
  9. delete file or folder.

Based on our analysis, victims, infrastructure, and design of the Aoqin Dragon malware, we quite confidently assess this threat as a small Chinese-speaking hack group that may be related to APT Naikon and UNC94.Sentinel Labs researchers conclude.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button