An In-Depth Look at Chinese APT, Aoqin Dragon

Executive Summary

Active since 2013, the APT Aoqin Dragon flew under the radar for ten years before researchers at Sentinel Labs identified their activity. Aoqin Dragon’s primary focus is cyberespionage against targets in Vietnam, Cambodia, Hong Kong, Australia, and Singapore. Although the Chinese speaking threat actor is a small group, they are powerful and launched attacks against education, government, and telecommunications organizations while remaining invisible. Let’s take a look at Aoqin Dragon’s techniques, tactics, and how the group was able to go unnoticed for a decade.

Aoqin Dragon TIR snapshot

aoqin dragon

Aoqin Dragon is a Chinese speaking threat actor who has been operating since 2013. The group is known for using explicit themes to infect users, as well as using USB shortcut techniques to spread their malware and infect other targets. Aoqin Dragon’s infection chain can be divided into three parts. They include:

The use of documents to exploit and trick victims into opening a malicious Word document to install a backdoor.
Luring victims into clicking on fake anti-virus icons or links to deploy malware in the victim’s device.
Forging a fake removable device to trick victims into opening a malicious folder and installing malware on their system.

According to our technology partner, SentinelOne's research team, Sentinel Labs, Aoqin Dragon’s baited documents (or lure documents) are geared towards targets interested in APAC political affairs. The documents also are not specific to one country but the entirety of Southeast Asia. Sentinel Labs also stated that because the group stayed in systems and networks long-term and were consistent with their attacks, they can assess that Aoqin Dragon’s motives are purely cyber espionage with their activities aligning with Chinese government political interests.

tactics and techniques

From 2012 to 2015, Aoqin Dragon took advantage of two vulnerabilities (CVE-2012-0158 and CVE-2010-3333) to compromise their targets. CVE-2012-0158 is a vulnerability in Windows Common Controls that allows for remote code execution. CVE-2010-3333 is a stack-based buffer overflow vulnerability in Microsoft Office that could allow attackers to execute arbitrary code via crafted RTF data.

Fake file icons and executable files have been used by varying threat actors over the years and is an effective tool for APTs like Aoqin Dragon. When combined with intriguing email content and a catchy file name, Aoqin Dragon can socially engineer their attacks and entice victims to click on a malicious file.

Since 2018, Aoqin Dagon has used fake removable USB device shortcuts as their initial point of infection. Victims who click on the shortcut icon will install a malicious loader, which contains two payloads. The first payload downloads the malicious files to removable devices for spreading and the second is an encrypted backdoor that creates a remote shell and uploads files to the victim’s machine. The second payload also downloads the files to Aoqin Dragon’s command and control servers. The encrypted backdoor also embedded three C2 servers for communication. Here is the attack chain of one of their most recent campaigns:

To initiate malware, a removable Disk shortcut is made that contains a specific path
After the victim clicks on the fake device, “Evernote Tray Application” is executed. This is followed by the use of DLL hijacking to load the malicious encashrep.dll loader as explore.exe.
Once the loader is executed, it checks if it is in any attached removable devices.
If the loader isn’t in the removable disk, it copies all modules under “%USERPROFILE%\AppData\Roaming\EverNoteService\”. This includes the backdoor loader, normal files, and the encrypted backdoor payload.
The value “EverNoteTrayUService” is used by the malware to set the auto start function. One the victim restarts their computer, “Evernote Tray Application” is executed, and DLL hijacking is used to load the malicious loader.
The loader checks the file path and then decrypts the payloads. As we mentioned previously, two payloads are used in the attack chain – 1. The spreader (copies malicious files to removable devices) and 2. The encrypted backdoor (injects itself into rundll32’s memory).

Aoqin Dragon also uses a custom backdoor that is more powerful than the previous one. The backdoor is a version of the Heyoka open-source project which uses spoofed DNS requests – creating bidirectional tunnel. Sentinel Labs stated that both backdoors have shell ability, but Heyoka is closer to a complete backdoor product.

Sentinel Labs stated that the main target type document formats Aoqin Dragon tries to find are Microsoft Word documents. Also, a script containing a “rar” command is embedded in the executable dropper with different fake security product icons. The dropper then employs a worm infection strategy using a removable device to infect malware into their victim’s device and breach their network.

Image 1: Infection Chain Flow

As you can see the DLL hijacking technique is used heavily by Aoqin Dragon to compromise targets and run their malware – including their newest malware loader, Mongall backdoor, and the modified version of Heyoka backdoor. According to Sentinel Labs, the Mongall backdoor is a small backdoor that goes back to 2013 when it was discovered by ESET. At that time, the threat actor using Mongall was targeting the Telecommunications Department and the Vietnamese government. Since then, Aoqin Dragon has been seen targeting Southeast Asia with an upgraded Mongall encryption protocol and Themida packer. Mongall isn’t rich in features but it’s still quite effective due to its ability to create a remote shell and upload files to a victim’s machine.

The modified Heyoka backdoor is a different from Mongall and is based on the Heyoka open-source project. The backdoor was modified to be a custom backdoor using the DLL injection to deploy in the victim’s environment. The debug log for Heyoka contains simplified Chinese characters, which indicates that the APT is Chinese speaking.

10 years the radar

Sentinel Labs has observed that Aoqin Dragon’s TTPs have evolved several times, which is how they were able to fly under the radar for a decade. The means they once used to infect their targeted devices has changed. During their first few years of operation, the threat actor relied on the previously mentioned CVE’s (CVE-2012-0158 and CVE-2010-3333). They were able to exploit these vulnerabilities due to their target’s negligence with patching.

In 2018, Aoqin Dragon changed the way they targeted devices by utilizing fake removable devices as their infection vector. They’ve also used other techniques to stay incognito, such as DNS tunneling. This technique involves the manipulation of an internet domain name system to bypass firewalls. Sentinel Labs reported that over time, Aoqin Dragon slowly executed their fake removable disc technique, which was done to keep their malware from being detected and removed by security products.

Researchers expect Aoqin Dragon to continue to conduct cyber espionage operations. They also expect the threat group to continue to advance their tradecraft and their methods for evading detection.

financially motivated threat groups vs. cyber espionage threat groups

Cyber Espionage Threat Groups

Unlike ransomware groups, cyberespionage threat actors are not typically seeking financial gain. Their purpose is to glean sensitive and classified data, trade secrets, and other forms of intellectual property that can be used politically. The attacks can be motivated by money, but this is not the case for cyber espionage groups most of the time.

Cyber Espionage groups generally target large corporations, government agencies, academic institution, and other organizations that have valuable intellectual property and technical data that can be used by another organization or government. Here is a list of assets cyber espionage threat actors attempt to access:

Military intelligence
Salaries (bonus structures and other information related to finances)
Academic research
Intellectual property (blueprints or formulas)
Research and Development data and activity
Political strategies, affiliations, and communications
Client or customer lists and payment structures
Business goals and strategic plans

By obtaining access to the aforementioned list, threat actors can target organizations and wage a war between individuals, such as political leaders and government officials, as well as business executives. Most cyber espionage activity is placed under the advanced persistent threat (APT) umbrella. APTs are sophisticated and they generally establish an undetected presence on networks and systems so they can gather the information they need. Like Aoqin Dragon, cyber espionage APTs use social engineering to gather information from their target. Social engineering exploits human emotions (curiosity, fear, empathy, etc.) to trick victims into clicking on links or downloading malware.

Financially Motivated Threat Groups

Ransomware gangs and data extortion groups fall under the category for financially motivated attacks. They are motivated solely by money and their operations move much quicker than cyber espionage. These individuals operate like a business, going after a variety of industries such as healthcare, agriculture, government, education, and engineering. These threat groups usually do one of two things during their attacks: encrypt data and hold it ransom in exchange for a decryption key or exfiltrate data and threaten to leak it if a ransom is not paid.

Ransomware gangs like Conti and Hive are known for deploying ransomware into their victim’s networks and systems. While they may go undetected at first, they don’t stay that way for long and will expose themselves once they have encrypted their victims’ data or gathered the information they need. Once the ransom is paid, they will provide their victims with the decryption key or will keep their sensitive information from being exposed – although they don’t always keep their word.

How Avertium is Protecting Our CUSTOMERS

Threat actors like Aoqin Dragon can gain unlimited access to networks and systems by remaining incognito for years, furthering reconnaissance. Avertium is here to keep your organization safe and to mitigate any attacks caused by APTs like Aoqin Dragon:

To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR (Digital Forensics and Incident Response) services in your protection plan. We offer DFIR to mitigate damage from a successful breach. This service is provided as an on-demand crisis response service, as well as a retainer-based program.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
MDR provides an in-depth investigation into potential threats to an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.
Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
Avertium offers user awareness training through KnowBe4. The service also Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

Avertium’s Recommendations

Cybersecurity Education: Educate your employees on cyber security preparedness and the dangers of opening potentially malicious documents. Annual or quarterly training modules can help prevent threat actors from tricking employees into opening malicious email attachments.
Risk Analysis: Prevent an attack by ensuring your organization has a detailed defense strategy based on a risk analysis approach.
Tabletop Exercises: Have a good cyber incident response plan in place that has been tested with tabletop exercises.
Security Review: Be sure to review your cyber incident response plan and improve it every time it’s tested on real cyber threats.

MITRE Map

Indicators of Compromise (IoCs)

Mongall Domains

back[.]satunusa[.]org
baomoi[.]vnptnet[.]info
bbw[.]fushing[.]org
bca[.]zdungk[.]com
bkav[.]manlish[.]net
bkav[.]welikejack[.]com
bkavonline[.]vnptnet[.]info
bush2015[.]net
cl[.]weststations[.]com
cloundvietnam[.]com
cpt[.]vnptnet[.]inf
dns[.]lioncity[.]top
dns[.]satunusa[.]org
dns[.]zdungk[.]com
ds[.]vdcvn[.]com
ds[.]xrayccc[.]top
facebookmap[.]top
fbcl2[.]adsoft[.]name
fbcl2[.]softad[.]net
flower2[.]yyppmm[.]com
game[.]vietnamflash[.]com
hello[.]bluesky1234[.]com
ipad[.]vnptnet[.]info
ks[.]manlish[.]net
lepad[.]fushing[.]org
lllyyy[.]adsoft[.]name
lucky[.]manlish[.]net
ma550[.]adsoft[.]name
ma550[.]softad[.]net
mail[.]comnnet[.]net
mail[.]tiger1234[.]com
mail[.]vdcvn[.]com
mass[.]longvn[.]net
mcafee[.]bluesky1234[.]com
media[.]vietnamflash[.]com
mil[.]dungk[.]com
mil[.]zdungk[.]com
mmchj2[.]telorg[.]net
mmslsh[.]tiger1234[.]com
mobile[.]vdcvn[.]com
moit[.]longvn[.]net
movie[.]vdcvn[.]com
news[.]philstar2[.]com
news[.]welikejack[.]com
npt[.]vnptnet[.]info
ns[.]fushing[.]org
nycl[.]neverdropd[.]com
phcl[.]followag[.]org
phcl[.]neverdropd[.]com
pna[.]adsoft[.]name
pnavy3[.]neverdropd[.]com
sky[.]bush2015[.]net
sky[.]vietnamflash[.]com
tcv[.]tiger1234[.]com
telecom[.]longvn[.]net
telecom[.]manlish[.]net
th-y3[.]adsoft[.]name
th550[.]adsoft[.]name
th550[.]softad[.]net
three[.]welikejack[.]com
thy3[.]softad[.]net
vdcvn[.]com
video[.]philstar2[.]com
viet[.]vnptnet[.]info
viet[.]zdungk[.]com
vietnam[.]vnptnet[.]info
vietnamflash[.]com
vnet[.]fushing[.]org
vnn[.]bush2015[.]net
vnn[.]phung123[.]com
webmail[.]philstar2[.]com
www[.]bush2015[.]net
yok[.]fushing[.]org
yote[.]dellyou[.]com
zing[.]vietnamflash[.]com
zingme[.]dungk[.]com
zingme[.]longvn[.]net
zw[.]dinhk[.]net
zw[.]phung123[.]com

Mongall C2 Servers: IP Addresses

10[.]100[.]0[.]34 (Internal IPs)
10[.]100[.]27[.]4 (Internal IPs)
172[.]111[.]192[.]233
59[.]188[.]234[.]233
64[.]27[.]4[.]157
64[.]27[.]4[.]19
67[.]210[.]114[.]99

Mongall Hashes

a96caf60c50e7c589fefc62d89c27e6ac60cdf2c
ccccf5e131abe74066b75e8a49c82373414f5d95
5408f6281aa32c02e17003e0118de82dfa82081e
a37bb5caa546bc4d58e264fe55e9e9155f36d9d8
779fa3ebfa1af49419be4ae80b54096b5abedbf9
2748cbafc7f3c9a3752dc1446ee838c5c5506b23
eaf9fbddf357bdcf9a5c7f4ad2b9e5f81f96b6a1
6380b7cf83722044558512202634c2ef4bc5e786
31cddf48ee612d1d5ba2a7929750dee0408b19c7
677cdfd2d686f7148a49897b9f6c377c7d26c5e0
911e4e76f3e56c9eccf57e2da7350ce18b488a7f
c6b061b0a4d725357d5753c48dda8f272c0cf2ae
dc7436e9bc83deea01e44db3d5dac0eec566b28c
94b486d650f5ca1761ee79cdff36544c0cc07fe9
1bef29f2ab38f0219b1dceb5d37b9bda0e9288f5
01fb97fbb0b864c62d3a59a10e785592bb26c716
03a5bee9e9686c18a4f673aadd1e279f53e1c68f
1270af048aadcc7a9fc0fd4a82b9864ace0b6fb6
e2e7b7ba7cbd96c9eec1bcb16639dec87d06b8dd
ed441509380e72961b263d07409ee5987820d7ae
45d156d2b696338bf557a509eaaca9d4bc34ba4a
bac8248bb6f4a303d5c4e4ce0cd410dc447951ea
15350967659da8a57e4d8e19368d785776268a0e
008dd0c161a0d4042bdeb1f1bd62039a9224b7f0
db4b1507f8902c95d10b1ed601b56e03499718c
f5cc1819c4792df19f8154c88ff466b725a695f6
86e04e6a149fd818869721df9712789d04c84182
a64fbd2e5e47fea174dd739053eec021e13667f8
d36c3d857d23c89bbdfefd6c395516a68ffa6b82
d15947ba6d65a22dcf8eff917678e2b386c5f662
5fa90cb49d0829410505b78d4037461b67935371
9a9aff027ad62323bdcca34f898dbcefe4df629b
9cd48fddd536f2c2e28f622170e2527a9ca84ee0
19bd1573564fe2c73e08dce4c4ad08b2161e0556
a1d0c96db49f1eef7fd71cbed13f2fb6d521ab6a
936748b63b1c9775cef17c8cdbba9f45ceba3389
46d54a3de7e139b191b999118972ea394c48a97f
4786066b29066986b35db0bfce1f58ec8051ba6b
b1d84d33d37526c042f5d241b94f8b77e1aa8b98
7bb500f0c17014dd0d5e7179c52134b849982465
d1d3219006fdfd4654c52e84051fb2551de2373a
0ffa5e49f17bc722c37a08041e6d80ee073d0d8f
dceecf543f15344b875418ad086d9706bfef1447
fa177d9bd5334d8e4d981a5a9ab09b41141e9dcc
07aab5761d56159622970a0213038a62d53743c2
d83dde58a510bdd3243038b1f1873e7da3114bcf
a0da713ee28a17371691aaa901149745f965eb90
c5b644a33fb027900111d5d4912e28b7dcce88ff
db5437fec902cc1bcbad4bef4d055651e9926a89
ff42d2819c1a73e0032df6c430f0c67582adba74
3b2d858c682342127769202a806e8ab7f1e43173
c08bf3ae164e8e9d1d9f51dffcbe7039dce4c643
f41d1966285667e74a419e404f43c7693f3b0383
3ccb546f12d9ed6ad7736c581e7a00c86592e5dd
904556fed1aa00250eee1a69d68f78c4ce66a8dc
bd9dec094c349a5b7d9690ab1e58877a9f001acf
87e6ab15f16b1ed3db9cc63d738bf9d0b739a220
f8fc307f7d53b2991dea3805f1eebf3417a7082b
ece4c9fc15acd96909deab3ff207359037012fd5
7fdfec70c8daae07a29a2c9077062e6636029806
17d548b2dca6625271649dc93293fdf998813b21
6a7ac7ebab65c7d8394d187aafb5d8b3f7994d21
fee78ccadb727797ddf51d76ff43bf459bfa8e89
4bf58addcd01ab6eebca355a5dda819d78631b44
fd9f0e40bf4f7f975385f58d120d07cdd91df330
a76c21af39b0cc3f7557de645e4aaeccaf244c1e
7ff9511ebe6f95fc73bc0fa94458f18ee0fb395d
97c5003e5eacbc8f5258b88493f148f148305df5
f92edf91407ab2c22f2246a028e81cf1c99ce89e
d932f7d11f8681a635e70849b9c8181406675930
b0b13e9445b94ed2b69448044fbfd569589f8586
b194b26de8c1f31b0c075ceb0ab1e80d9c110efc
df26b43439c02b8cd4bff78b0ea01035df221f68
60bd17aa94531b89f80d7158458494b279be62b4
33abee43acfe25b295a4b2accfaf33e2aaf2b879
c87a8492de90a415d1fbe32becbafef5d5d8eabb
68b731fcb6d1a88adf30af079bea8efdb0c2ee6e
cf7c5d32d73fb90475e58597044e7f20f77728a
1ab85632e63a1e4944128619a9dafb6405558863
1f0d3c8e373c529a0c3e0172f5f0fb37e1cdd290
f69050c8bdcbb1b5f16ca069e231b66d52c0a652
6ff079e886cbc6be0f745b044ee324120de3dab2
8c90aa0a521992d57035f00d3fbdfd0fa7067574
5e32a5a5ca270f69a3bf4e7dd3889b0d10d90ec2
0db3626a8800d421c8b16298916a7655a73460de
01751ea8ac4963e40c42acfa465936cbe3eed6c2
6b3032252b1f883cbe817fd846181f596260935b
741168d01e7ea8a2079ee108c32893da7662bb63
b9cc2f913c4d2d9a602f2c05594af0148ab1fb03
c7e6f7131eb71d2f0e7120b11abfaa3a50e2b19e
ae0fdf2ab73e06c0cd04cf79b9c5a9283815bacb
67f2cd4f1a60e1b940494812cdf38cd7c0290050
aca99cfd074ed79c13f6349bd016d5b65e73c324
ba7142e016d0e5920249f2e6d0f92c4fadfc7244
98a907b18095672f92407d92bfd600d9a0037f93
afaffef28d8b6983ada574a4319d16c688c2cb38
98e2afed718649a38d9daf10ac792415081191fe
bc32e66a6346907f4417dc4a81d569368594f4ae
8d569ac92f1ca8437397765d351302c75c20525b
5c32a4e4c3d69a95e00a981a67f5ae36c7aae05e
d807a2c01686132f5f1c359c30c9c5a7ab4d31c2
155db617c6cf661507c24df2d248645427de492c
7e6870a527ffb5235ee2b4235cd8e74eb0f69d0e
2f0ea0a0a2ffe204ec78a0bdf1f5dee372ec4d42
041d9b089a9c8408c99073c9953ab59bd3447878
1edada1bb87b35458d7e059b5ca78c70cd64fd3f
4033c313497c898001a9f06a35318bb8ed621dfb
683a3e0d464c7dcbe5f959f8fd82d738f4039b38
97d30b904e7b521a9b7a629fdd1e0ae8a5bf8238
53525da91e87326cea124955cbc075f8e8f3276b
73ac8512035536ffa2531ee9580ef21085511dc5
28b8843e3e2a385da312fd937752cd5b529f9483
cd59c14d46daaf874dc720be140129d94ee68e39

SUPPORTING DOCUMENTATION

CVE - CVE-2010-3333 (mitre.org)

Aoqin Dragon APT targets entities in Southeast Asia and AustraliaSecurity Affairs

What is Cyber Espionage? – CrowdStrike

Chinese 'Aoqin Dragon' gang runs ten-year espionage spree • The Register

Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years - SentinelOne

Aoqin Dragon hacking group quietly spied on their targets for 10 years – Cyber Security Review (cybersecurity-review.com)

This hacking group quietly spied on their targets for 10 years | ZDNet

Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)

China-linked APT Flew Under Radar for Decade | Threatpost

Chinese-Linked APT Spying on Organizations for 10 Years (bankinfosecurity.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

Related Resource: An In-Depth Look at Iranian APT "MuddyWater"

Chat With One of Our Experts

healthcare cyber espionage APT Chinese APT Aoqin Dragon Blog