Chinese-Linked APT Spying on Organizations for 10 YearsAttackers Use DLL Hijacking, DNS Tunneling to Evade Detection Post-Compromise
A recently identified Chinese hacking group dubbed Aoqin Dragon has been targeting government, education and telecommunication organizations in Southeast Asia and Australia since 2013 as part of an ongoing cyberespionage campaign, according to research from SentinelLabs.
Based on their analysis of the targets, infrastructure and malware structure of this campaign, the researchers say that they assess with moderate confidence that the threat actor is a Chinese-speaking team. The primary focus of the attackers is espionage targeting Australia, Cambodia, Hong Kong, Singapore and Vietnam.
The researchers say the hacking group seeks initial access by tricking users into opening a weaponized Word document as well as using fake removable devices. Other techniques used include DLL hijacking, Themida-packed files and DNS tunneling to evade post-compromise detection.
"The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project," the researchers say.
Initial Infection Chain
Aoqin Dragon's campaign, infection chain and tactics, techniques and procedures have evolved over the years, according to the researchers. They say the attackers' infection strategy includes using a malicious document and tricking users into opening a weaponized Word document to install a backdoor. A second method is luring users to double-click a fake antivirus to execute malware in the victim's host and a third is forging a fake removable device to lure users into opening a wrong folder, ultimately leading them into installing the malware.
"During 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets. In 2014, FireEye published a blog detailing related activity using lure documents themed around the disappearance of Malaysia Airlines Flight MH370 to conduct attacks. Although those vulnerabilities are very old and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was very common in that period the researchers say.
While explaining activity using lure documents, the researchers uncovered three interesting points from such decoy documents:
The first observed that documents were themed around targets with an interest in APAC political affairs, whereas the second was pornographic topics. The third was documents not specific to one country, but to the entire Southeast Asia region.
The operators of Aoqin Dragon have also developed executable files masked with document icons such as Windows folders and antivirus vendor icons. The researchers say that by having a catchy file name and "interesting" email content, a user can be socially engineered into clicking on the file.
The executables are droppers to execute a backdoor and connect to the C2 server. "Although executable files with fake file icons have been in use by a variety of actors, it remains an effective tool, especially for APT targets," the researchers say.
The researchers say that the executable dropper contains an embedded rar command using different fake security product icons.
"Based on the script contained in the executable, we can identify the main target type of document formats they were trying to find, such as Microsoft Word documents," the researchers say, adding, "The dropper employs a worm infection strategy using a removable device to carry the malware into the target's host and facilitate a breach into the secure network environment."
The researchers also found that the same dropper was deploying other backdoors including the Mongall backdoor and a modified Heyoka backdoor.
Backdoor Variants Used
The small Mongall backdoor was first discovered in 2013 by the cybersecurity firm ESET.
The threat actor was trying to target the Vietnamese Telecommunications Department and government. More recently, Aoqin Dragon has been reported targeting Southeast Asia with an upgraded Mongall encryption protocol and Themida packer say the researchers.
The researchers say Mongall is an effective backdoor because it can create a remote shell, upload files to the victim's machine and send it to the attacker's command-and-control server.
An important feature of the backdoor is that it has embedded three C2 servers for communication. The researchers discovered that this backdoor's network transmission logic can be observed on the Chinese Software Developer Network, or CSDN.
"Compared to the old Mongall backdoor, the new version upgrades the encryption mechanism. However, new versions of Mongall still use GET protocol to send the information back with RC4 to encrypt or base64 to encode the victim machine's information," the researchers say.
The Heyoka backdoor is based on an open-source project and "Heyoka is a proof-of-concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel," the researchers say.
The operators behind the Aoqin Dragon modified and redesigned it to a custom backdoor using a DLL injection technique which helps them to deploy it in the victim's environment says SentinelLabs. It also uncovered Chinese characters in its debug log.
"The backdoor checks if it is run as system service or not, to make sure it has sufficient privileges and to keep itself persistent. The modified Heyoka backdoor is much more powerful than Mongall," the SentinelLabs researchers say. "Although both have shell ability, the modified Heyoka backdoor is generally closer to a complete backdoor product."
Palo Alto's Unit42 researchers observed one of the Mongall's backdoors in 2015, and they claim that the president of Myanmar's website was used in a watering hole attack on December 24, 2014.
In 2013, Vietnamese police retrieved information from the C2 server, allegedly belonging to the operators of the Mongall's backdoors.
They identified phishing mail server operators located in Beijing, China. "The two primary backdoors used in this operation have overlapping C2 infrastructure, and most of the C2 servers can be attributed to Chinese-speaking users," the researchers say.
Researchers at SentinelLabs say the activities of the Aoqin Dragon are closely aligned with the Chinese government's political interests.