Aoqin Dragon Has the Hallmarks of Chinese Espionage
Threat actor Aoqin Dragon continues its stealthy eight-year espionage campaign with attacks on targets primarily located in southeast Asia and Australia.
The APT group typically targets government, education and telecommunications organizations, according to a blog post from researchers at SentinelLabs who uncovered the actor’s nefarious activities. These include dropping lures in the form of documents with pornographic themes to infect users. The group also uses USB shortcut techniques to spread malware and infect additional targets.
“The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets,” SentinelLabs researchers wrote. “Attacks attributable to Aoqin Dragon typically drop one of two backdoors: Mongall and a modified version of the open source Heyoka project.”
On closer inspection, Aoqin Dragon campaigns demonstrated “a clear evolution in their infection chain and TTPs” that the researchers divided into three parts:
- Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
- Luring users into double-clicking a fake antivirus to execute malware in the victim’s host.
- Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.
The findings underscored the weak spots in many security strategies. “The worst-kept secret that bad actors leverage is that any phishing or Trojan-based malware, regardless of delivery mechanism, still depends on the lack of encryption on the target system’s data,” said Scott Bledsoe, CEO at Theon Technology. “Even relying on current established encryption approaches leaves organizations vulnerable to algorithmic decryption and/or quantum computer-based decryption faster than may be expected.”
If there were any doubts that security teams should patch flaws, then consider that from 2012-2015, “Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets.”
Activity that used lure documents containing themes related to Malaysia Airlines Flight 370’s disappearance was documented in a 2014 FireEye blog. “Although those vulnerabilities are very old and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was very common in that period,” SentinelLabs researchers said.
Those decoy documents revealed what the researchers believed are three interesting points. “First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets,” they said. “Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia.”
It wasn’t much of a stretch for researchers to float an attribution and motive. “The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests,” researchers said. “Considering this long-term effort and continuous targeted attacks for the past few years, we [believe] the threat actor’s motives are espionage-oriented.”
Identifying and tracking state and state-sponsored threat actors is “challenging,” said Mike Parkin, senior technical engineer at Vulcan Cyber, because “they often appear to be criminal threats, using the same tools and techniques and often going after the same targets.”
Therefore, “conclusively linking them to a given state often requires a deeper analysis and understanding of their motives,” Parkin said. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and which doesn’t appear in other lists, shows how hard it can be to be certain when you’re identifying a new threat actor.”
But Aoqin Dragon is in keeping with China’s MO. “The Chinese government has always done remarkable work in highly-specific targeting designed to infect their espionage targets,” said John Bambenek, principal threat hunter at Netenrich. “They are spending real effort to do the research to make sure they can discreetly infect organizations and operate for extended periods of time without being discovered.”
Image: Dragons by Grant Scharoff
