A decade-long Chinese spy campaign targeting Southeast Asia and Australia


A previously undocumented Chinese-speaking Advanced Persistent Threat (APT) actor named Aoqin Dragon has been linked to a series of espionage-targeted attacks targeting government, education and telecom entities, primarily in Southeast Asia and Australia, dating back to 2013. .

“Aoqin Dragon seeks first access primarily through document exploits and the use of removable fake devices,” said SentinelOne researcher Joey Chen. said in a report shared with The Hacker News. “Other techniques that the attacker has been observed to include include DLL hijacking, Themida Packaged Filesand DNS tunneling to evade detection after compromise.”

The group is said to have some degree of association with another threat actor known as Naikon (aka Override Panda), with campaigns primarily targeting targets in Australia, Cambodia, Hong Kong, Singapore and Vietnam.

Infection chains set up by Aoqin Dragon have engaged in Asia-Pacific political affairs and pornographic-themed documents, as well as USB shortcut techniques to activate the deployment of one of two backdoors: Mongall and a modified version of the open -source Heyoka project

This used old and unpatched security vulnerabilities (CVE-2012-0158 and CVE-2010-3333), where the decoy documents trick targets into opening the files. Over the years, the threat actor also used executable droppers masquerading as antivirus software to deploy the implant and connect to a remote server.

“Although executables with fake file icons have been used by various actors, it remains an effective tool, especially for APT targets,” Chen explains. “Combined with ‘interesting’ email content and a catchy file name, users can be socially manipulated into clicking the file.”

That said, Aoqin Dragon’s latest first access vector since 2018 is the use of a fake removable device shortcut file (.LNK), which, when clicked, runs an executable (“RemovableDisc.exe”) with the icon for the popular note-taking app Evernote, but is designed to function as a loader for two different payloads.

One of the components in the infection chain is a spreader that copies all malicious files to other removable devices and the second module is an encrypted backdoor that injects itself into rundll32‘s memory, a native windows process used to load and run DLL files.

known for being used since at least 2013, Mongall (“HJ-client.dll”) has been described as a not-so “particularly feature-rich” implant, but one that contains enough features to create a remote shell and transfer arbitrary files to and from the attacker upload and download control server.

The adversary also uses a reworked variant of Heyoka (“srvdll.dll”), a proof-of-concept (PoC) exfiltration tool “that uses spoofed DNS requests to create a bi-directional tunnel.” The Heyoka custom backdoor is more powerful, equipped with capabilities to create, delete, and search files, create and terminate processes, and collect process information about a compromised host.

“Aoqin Dragon is an active cyber-espionage group that has been active for almost a decade,” Chen said, adding, “it is likely that they will also continue to improve their craft, find new methods to evade detection and stay in their place for longer. target network. .”