chinese-hacker

A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013.

Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.

The threat actor's techniques have evolved throughout the years, but some tactics and concepts remain unchanged.

Intrusion and infection tactics

Aoqin Dragon has employed three distinct infection chains since it was first spotted, according to SentinelLabs. The earliest, used between 2012 and 2015, involves Microsoft Office documents that exploit known vulnerabilities like CVE-2012-0158 and CVE-2010-3333.

This tactic was spotted by FireEye in 2014 in a spear-phishing campaign coordinated by the Chinese-backed Naikon APT group, targeting an APAC government entity and a US think tank.

The second infection method is masking malicious executables with fake anti-virus icons, tricking the users into launching them, and activating a malware dropper on their devices.

From 2018 until now, Aoqin Dragon has turned to using a removable disk shortcut file that, when clicked, performs DLL hijacking and loads an encrypted backdoor payload.

The malware runs under the name "Evernote Tray Application" and executes upon system start. If the loader detects removable devices, it also copies the payload to infect other devices on the target's network.

Most recent infection chain used by Aoqin Dragon
Most recent infection chain used by Aoqin Dragon (SentinelLabs)

Aoqin Dragon's toolset

SentinelLabs has identified two different backdoors used by the particular threat group, Mongall and a modified version of Heyoka. Both are DLLs that are injected into memory, decrypted, and executed.

Mongall has been under development since at least 2013, and recent versions feature an upgraded encryption protocol and Themida wrapping designed to protect it against reverse engineering.

Its primary purpose is to profile the host and send the details to the C2 server using an encrypted channel, but it's also capable of performing file actions and executing shell.

The other backdoor, Heyoka, is an open-source exfiltration tool that uses spoofed DNS requests to create a bidirectional communication tunnel.

They use this tool when copying files from compromised devices to make it harder for defenders to detect the group's data theft activity.

Heyoka mods (left) and source code (right)
Heyoka mods (left) and source code (right) (SentinelLabs)

Aoqin Dragon's malware developers have modified Heyoka to create a custom backdoor with support for the following commands:

  • open a shell
  • get host drive information
  • search file function
  • input data in an exit file
  • create a file
  • create a process
  • get all process information in this host
  • kill process
  • create a folder
  • delete file or folder

The exfil tool also comes with two hardcoded command-and-control (C2) server addresses for redundancy, also used by Mongall, so there's an overlap in the group's primary infrastructure.

"Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to the Naikon APT group, in addition to UNC94," SentinelLabs said.

Outlook

Aoqin Dragon managed to stay in the shadows for a decade, with only parts of its operation surfacing in older reports [PDF] by cybersecurity firms.

The group has achieved this by continuously evolving its techniques and changing tactics, which will likely happen again following the exposure it got after SentinelLabs' report.

Considering that its activities align with Chinese government political interests, it's almost certain that Aoqin Dragon will continue its cyber-espionage operations, improving its detection avoidance and switching to new evasion tactics.

Related Articles:

Chinese hackers infect Dutch military network with malware

Stealthy KV-botnet hijacks SOHO routers and VPN devices

Finland confirms APT31 hackers behind 2021 parliament breach

US sanctions APT31 hackers behind critical infrastructure attacks

Russian hackers target German political parties with WineLoader malware