Headline
Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign
“Aoqin Dragon” has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.
One of the primary hallmarks of an advanced persistent threat (APT) group is its ability to operate undetected for years while carrying out its specific mission.
The newest example is “Aoqin Dragon,” a China-based APT actor that researchers at SentinelOne recently discovered has been spying on organizations across multiple countries for the past 10 years. The group’s primary mission appears to be cyber espionage, and its targets have included organizations in the government, telecommunications, and education sectors in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
In its analysis of the threat actor’s targets, SentinelOne said infrastructure and malware shows the group likely comprises a small Chinese-speaking team with potential links to an adversary that Mandiant has been tracking for some time as UNC94. Aoqin Dragon’s targeting suggests its interests are aligned with those of the Chinese government, though SentinelOne has not been able to confirm that.
In a report last week, SentinelOne said it was able to identify Aoqin Dragon activity going back to at least 2013 and continuing through today. Over that period, the threat actor — like other APT groups — has been constantly refining and tweaking its tactics, techniques, and procedures (TTPs), SentinelOne said.
In the initial stages, Aoqin Dragon relied heavily on exploits targeting a couple of old Microsoft vulnerabilities (CVE-2012-0158 and CVE-2010-3333) to compromise targets. Later the group began using various document lures to try and infect target systems. Lures included documents with political themes pertaining to the Asia-Pacific region and content with pornographic themes. Individuals who fell for these lures were infected with a backdoor called Mongall, or sometimes with a modified version of Heyoka, a tool based on an open source proof of concept for exfiltrating data from compromised systems via DNS tunneling.
According to SentinelOne, Mongall is not especially feature-rich. Even so, it is effective and can create a remote shell for uploading files from an infected machine to the attacker’s command-and-control servers (C2). The malware embeds three C2 servers in its code, making it dangerous, SentinelOne said.
Rarely Used Tactic
Since at least 2018, Aoqin Dragon has been using fake removable devices — in addition to its usual document exploits — as a vector for gaining initial access on target systems. In cyberattacks involving removable devices, SentinelOne observed the threat actor placing a removable disk shortcut file on a compromised system. When clicked, the file initiates a sequence of activity that ends with a malicious loader being placed on the system.
Joey Chen, threat intelligence researcher at SentinelOne, says Aoqin Dragon’s use of a removable device for initial access is noteworthy because few actors use the approach these days. Instead of an actual physical removable device — such as an USB or DVD — the threat actors have been trying to lure users into clicking on a malicious removable disk shortcut file forged to look like a normal removable device.
“The USB shortcut file contains a specific path to execute the Evernote Tray Application and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe,” Chen says. “The advantage of using a removable device as an initial access vector is that malicious files don’t need to land into the victim’s host machine.”
Mike Parkin, senior technical engineer at Vulcan Cyber, says the use of fake removable devices for initial access can be very effective, but it has never been the most common attack vector.
“There was a time when leaving infected USB thumb drives, DVDs, and CD-ROMs was a common penetration testing technique that mimicked what we saw threat actors doing in the wild,” he says. “Downloading and mounting an ISO file is the same idea, only entirely file-based.”
For threat actors, removable devices are another tool that they can deploy to infect their targets, Parkin says.
“If the victim can be enticed to download and launch the malware, the attacker has gotten around the need to breach the external defenses,” he says. “The victim did it for them.”
Several of Aoqin Dragon’s TTPs — such as DLL hijacking and DNS tunneling to evade detection — are similar to those that other threat actors use, says Chen. However, the threat actor’s use of removable devices as an initial access vector is somewhat different.
“In addition, the entire spread module and install module of the malware are all written by actors themselves,” he says. This has made it harder for typical endpoint protection systems to detect the malware, he notes.
Related news
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Evidence suggests that a just-discovered APT has been active since 2013.
A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"
A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"
Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.