Researchers at SentinelLabs announced on June 9th that they had identified a small but potent APT (Advanced Persistent Threat) with links to the Chinese state.
Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.
The APT, named Aoqin Dragon by researchers, has flown under the radar for nearly a decade by using evolving stealth tactics.
In the first years of recorded operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which potential targets may have not yet addressed.
Since 2018, Aoqin Dragon has utilized fake removable devices as their infection vector. This functions when a user clicks to open what seems to be a removable device folder and then they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine.
Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.
They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server.
Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”
Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “Properly identifying and tracking State and State Sponsored threat actors can be challenging. SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”